What is CVE-2025-12080?

CVE-2025-12080 is a security vulnerability in Google Messages for Wear OS with a CVSS score ranging from 6.9 to 9.8. It is an intent handling misconfiguration that allows any installed application to send SMS, MMS, or RCS messages without requiring permissions, confirmation, or user interaction.

What should Wear OS users do to protect themselves?

Users should update their Google Messages application on their smartwatch through the Google Play Store and verify that their Wear OS devices are running the latest available system builds. The security update restores mandatory confirmation prompts that prevent unauthorized message sending.

Advisory

Google patches Wear OS vulnerability that enables silent SMS sending without user consent

Q: Has Google patched the CVE-2025-12080 vulnerability?

Yes, Google has released security updates for Google Messages on Wear OS that restore the mandatory confirmation prompts for ACTION_SENDTO intents. Users should update their smartwatch applications through the Google Play Store and verify that their Wear OS devices run the latest available system builds.

published: Oct. 29, 2025

Take action: If you use a smartwatch with Google Messages (like Pixel Watch or Galaxy Watch), update your Google Messages app immediately through the Play Store. Currently, any app can send texts without your permission. Make sure your Wear OS system is also fully updated.

Learn More

Google has patched a security vulnerability in its Messages application for Wear OS that exposed millions of smartwatch users to unauthorized message sending.

The flaw is tracked as CVE-2025-12080 (CVSS score 6.9 to 9.8), is an intent handling misconfiguration in Wear OS device users. It allows any installed application to send SMS, MMS, or RCS messages on behalf of the user without requiring permissions, confirmation, or any form of user interaction.

According to established Android security practices, when an application sends a sensitive intent such as ACTION_SENDTO for message delivery, the receiving application should present a confirmation interface to ensure explicit user consent.

The flaw affects four specific URI schemes: sms:, smsto:, mms:, and mmsto:. When Google Messages receives ACTION_SENDTO intents utilizing these schemes, the application automatically processes and executes the message-sending request without any verification of the caller's legitimacy or user authorization.

An attacker simply needs to craft an application that appears legitimate, such as a fitness tracker or weather widget, and include standard Android programming code to invoke ACTION_SENDTO intents with specified recipient phone numbers and message content. The malicious application requires no special permissions like SEND_SMS that would normally alert users during installation. ct

The vulnerability affects Google Messages on Wear OS devices where the application is configured as the default SMS/MMS/RCS messaging application. The issue was confirmed on Pixel Watch 3 devices running Wear OS with Android 15 (build BP1A.250305.019.w3) and Google Messages version 2025_0225_RC03.wear_dynamic. The vulnerability likely extends to the majority of Wear OS devices, as Google Messages serves as the default messaging application on most smartwatches running the platform.

Google has released security updates for Google Messages on Wear OS that restore the mandatory confirmation prompts for ACTION_SENDTO intents. Users should update their smartwatch applications through the Google Play Store and verify that their Wear OS devices run the latest available system builds.

Google patches Wear OS vulnerability that enables silent SMS sending without user consent