Intent Abuse in Google Messages for Wear OS for Silent...

6.9 / 10

MEDIUM

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

Description

On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented.

Due to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user’s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.

Basic Information

ID CVE-2025-12080

Source Google

Published Oct 27, 2025 at 08:45

Affected Product

Vendor Google

Product WearOS

Affected Versions Google WearOS 0

CWE Classification

CWE-345

References

towerofhanoi.it /writeups/cve-2025-12080/

{
    "lastseen": "",
    "description": "On Wear OS devices, when Google Messages is configured as the default SMS/MMS/RCS application, the handling of ACTION_SENDTO intents utilizing the sms:, smsto:, mms:, and mmsto: Uniform Resource Identifier (URI) schemes is incorrectly implemented.\n\nDue to this misconfiguration, an attacker capable of invoking an Android intent can exploit this vulnerability to send messages on the user\u2019s behalf to arbitrary receivers without requiring any further user interaction or specific permissions. This allows for the silent and unauthorized transmission of messages from a compromised Wear OS device.",
    "published": "2025-10-27T08:45:52.604Z",
    "modified": "2025-10-27T08:45:52.604Z",
    "type": "cve",
    "title": "Intent Abuse in Google Messages for Wear OS for Silent Message Sending",
    "source": "Google",
    "references": "https://towerofhanoi.it/writeups/cve-2025-12080/",
    "id": "CVE-2025-12080",
    "bulletinFamily": "",
    "cwe": [
        "CWE-345"
    ],
    "cvelist": null,
    "sourceData": "Google WearOS 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WearOS",
    "version": "0",
    "vendor": "Google",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Intent Abuse in Google Messages for Wear OS for Silent Message Sending_CVE-2025-12080