CVE-2025-12080 MEDIUM

CVE-2025-12080: Intent Abuse in Google Messages for Wear OS for Silent Message Sending

Vendor Google
Product WearOS
Weakness CWE-345
Published October 27, 2025
Last update October 27, 2025

CVSS base score

6.9/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.

Key dates

02Disclosure timeline

October 27, 2025 CVE published
October 27, 2025 Record updated