A wide range of vulnerabilities affects millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide.
The vulnerabilities, collectively dubbed “ReVault,” target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware, creating opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.
The vulnerabilities affect more than 100 different models of Dell laptops, primarily from the business-focused Latitude and Precision series that are widely deployed in sensitive environments.
These devices are commonly found in cybersecurity companies, government facilities, and rugged deployments where enhanced security features like smartcard and NFC authentication are essential.
Dell ControlVault serves as a “hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware,” according to the company.
The system operates on a separate daughter board called a Unified Security Hub (USH), which connects various security peripherals, including fingerprint readers, smart card readers, and NFC devices.
ReVault Attack – Five Critical Vulnerabilities
Cisco Talos researchers identified five distinct vulnerabilities in the ControlVault3 and ControlVault3+ systems:
- CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage
- CVE-2025-25050: An out-of-bounds write flaw allowing code execution
- CVE-2025-25215: An arbitrary memory free vulnerability
- CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution
- CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs
All vulnerabilities received CVSS scores above 8.0, classifying them as “high” severity threats. The combination of these flaws creates particularly dangerous attack scenarios that security experts warn could have far-reaching consequences.
The most concerning aspect of the ReVault vulnerabilities is their potential for establishing a persistent compromise that remains undetected even after a complete Windows reinstallation.
According to the researchers, a non-administrative user can interact with ControlVault firmware through Windows APIs to trigger arbitrary code execution, allowing attackers to extract cryptographic keys and permanently modify the firmware.
“This creates the risk of a so-called implant that could stay unnoticed in a laptop’s ControlVault firmware and eventually be used as a pivot back onto the system in the case of a threat actor’s post-compromise strategy,” the Talos team explained in their technical disclosure.
The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level, where traditional antivirus solutions cannot detect or remove it.
Beyond remote exploitation, the vulnerabilities also enable devastating physical attacks. Researchers demonstrated that an attacker with brief physical access to a laptop can open the chassis and directly access the USH board via USB using a custom connector.
This approach bypasses the need for system login credentials or knowledge of full-disk encryption passwords.
Researchers showed how tampered ControlVault firmware could be configured to accept any fingerprint for authentication including non-human objects like vegetables.
A video released by Cisco Talos shows a spring onion successfully unlocking a compromised Dell laptop, highlighting the complete breakdown of biometric security controls.
“If a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the ControlVault firmware to accept any fingerprint rather than only allowing a legitimate user’s,” the researchers noted.
Dell Response
Dell responded promptly to the vulnerability disclosure, working with Broadcom to develop and distribute firmware updates beginning in March 2025.
The company notified customers of the critical security issues on June 13, 2025, and has been releasing patches through both Windows Update and Dell’s support website.
“Working with our firmware provider, we addressed the issues quickly and transparently disclosed the reported vulnerabilities in accordance with our Vulnerability Response Policy,” a Dell spokesperson stated. The company emphasized that no evidence of active exploitation has been discovered in the wild.
The vulnerabilities affect Dell ControlVault3 versions prior to 5.15.10.14 and Dell ControlVault3+ versions prior to 6.2.26.36. Organizations are strongly urged to apply firmware updates immediately, as the automated deployment through Windows Update may not reach all enterprise environments with restricted update policies.
“These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software,” the Cisco Talos researchers concluded. “Staying vigilant, patching your systems and proactively assessing risk are essential to safeguard your systems against evolving threats.”
Dell Security Advisory DSA-2025-053 contains complete details on affected models and remediation procedures. Organizations can access updated firmware through Dell’s support website or via Windows Update mechanisms.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
