Millions of Dell laptops could be persistently backdoored in ReVault attacks
A set of firmware vulnerabilities affecting 100+ Dell laptop models widely used in government settings and by the cybersecurity industry could allow attackers to achieve persistent access even across Windows reinstalls, Cisco Talos researchers have discovered.
About the vulnerabilities
Most of the flaws reside in the firmware for ControlVault3 and ControlVault3+, which are hardware security components that store passwords, biometric templates, and security codes.
The lists includes:
- Two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050)
- An arbitrary free (CVE-2025-25215) flaw
- A stack-overflow bug (CVE-2025-24922)
- An unsafe-deserialization flaw (CVE-2025-24919)
According to the researchers, the vulnerabilities can be exploited in so-called ReVault attacks by:
- Attackers who have achieved non-administrative access/privileges on a vulnerable target laptop. The vulnerabilities may allow them to interact with the ControlVault firmware and leak key material that would allow them to permanently modify the firmware (i.e., effectively creating a potential backdoor into the system)
- Attackers that have physical access to the laptop. They could pry the device open, use a custom connector to access the Unified Security Hub board (which runs ControlVault) over USB, and exploit those vulnerabilities – all without having to log into the system beforehand or having knowledge of the full-disk encryption password.
“Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint,” the researchers added.
Technical details have not been publicly shared, but they have, of course, been privately reported to Dell and Broadcom.
Update the firmware!
The vulnerabilities affect Dell ControlVault3 versions prior to v5.15.10.14 and Dell ControlVault3+ versions prior to 6.2.26.36 and the associated Windows drivers on the following Dell laptop models with Broadcom chips:
| Dell Pro Max 14 MC14250 | Dell Pro Max 16 MC16250 | Dell Pro 13 Plus PB13250 | Dell Pro 14 Plus PB14250 |
| Dell Pro 16 Plus PB16250 | Dell Pro Rugged 13 RA13250 | Dell Pro Rugged 14 RB14250 | Latitude 7030 Rugged Extreme Tablet |
| Latitude 7200 2-in-1 | Latitude 7210 2-in-1 | Latitude 7220EX Rugged Extreme Tablet | Latitude 7220 Rugged Extreme Tablet |
| Latitude 7230 Rugged Extreme Tablet | Latitude 5300 2-in-1 | Latitude 5300 | Latitude 5310 2-in-1 |
| Latitude 5310 | Latitude 5320 | Latitude 5330 | Latitude 5340 |
| Latitude 5350 | Latitude 7300 | Latitude 7310 | Latitude 7320 |
| Latitude 7320 Detachable | Latitude 7330 | Latitude 7330 Rugged Extreme | Latitude 7340 |
| Latitude 7350 | Latitude 7350 Detachable | Latitude 9330 | Latitude 5400 |
| Latitude 5401 | Latitude 5410 | Latitude 5411 | Latitude 5421 |
| Latitude 5430 Rugged | Latitude 5431 | Latitude 5440 | Latitude 5450 |
| Latitude 7400 2-in-1 | Latitude 7400 | Latitude 7410 | Latitude 7420 |
| Latitude 7430 | Latitude 7440 | Latitude 7450 | Latitude 9410 |
| Latitude 9420 | Latitude 9430 | Latitude 9440 2-in-1 | Latitude 9450 2-in-1 |
| Latitude 5500 | Latitude 5501 | Latitude 5510 | Latitude 5511 |
| Latitude 5520 | Latitude 5521 | Latitude 5530 | Latitude 5531 |
| Latitude 5540 | Latitude 5550 | Latitude 7520 | Latitude 7530 |
| Latitude 9510 | Latitude 9520 | Latitude 7640 | Latitude 7650 |
| Latitude 5420 | Latitude 5430 | Precision 3470 | Precision 3480 |
| Precision 3490 | Precision 5470 | Precision 5480 | Precision 5490 |
| Precision 3540 | Precision 3541 | Precision 3550 | Precision 3551 |
| Precision 3560 | Precision 3561 | Precision 3570 | Precision 3571 |
| Precision 3580 | Precision 3581 | Precision 3590 | Mobile Precision 3591 |
| Precision 7540 | Precision 7550 | Precision 7560 | Precision 5680 |
| Mobile Precision 5690 | Precision 7670 | Precision 7680 | Precision 7740 |
| Precision 7750 | Precision 7760 | Precision 7770 | Precision 7780 |
Dell has been releasing fixed drivers and firmware from March 2025.
Though Cisco Talos researchers pointed out that ControlVault firmware can be automatically deployed via Windows Update, organizations may have trouble deploying them thoroughly across large laptop fleets. (In some organizations, devices may go years without receiving such updates, especially laptops that are used in the field.)
They are also advising disabling the CV services and/or the CV device if users are not using a fingerprint reader, smart card reader and NFC reader, and disabling fingerprint login when leaving one’s laptop unattended.
“Windows also provides Enhanced Sign-in Security (ESS), which may help mitigate some of the physical attacks and detect inappropriate CV firmware,” they added, and noted that some laptop models can detect chassis intrusion (this option can be enabled in the computer’s BIOS).
Endpoint detection tools may be able to flag unauthorized attempts to update firmware, and unexpected crashes of the Windows Biometric Service or the Credential Vault services showing up in Windows logs may point to compromise.
The thing is: systems-on-chip (SOCs) like ControlVault are full computing environments with their own memory, processors, and software, and if attackers can access them and exploit vulnerabilities in them, they represent a new layer of risk.
“These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software,” the researchers pointed out.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
