Vulnerability Description
On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented. Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-12080?
CVE-2025-12080 is a documented vulnerability. On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Ident...
How severe is CVE-2025-12080?
CVSS scoring is not yet available for CVE-2025-12080. Check NVD for updates.
Is there a patch for CVE-2025-12080?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.