216.73.216.128

CVE-2025-12080

· Published 27/10/2025 09:15 · Modified 27/10/2025 13:19

Labels: CVE-2025-12080 2025-10-27CVE-2025-12080CWE-345[email protected]

Essential information

Published
27/10/2025 09:15
Modified
27/10/2025 13:19
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
google / wear os cpe:2.3:o:google:wear_os:*:*:*:*:*:*:*:*
google / messages cpe:2.3:a:google:messages:*:*:*:*:*:android:*:*

References