Cybersecurity researchers at Cisco Talos have discovered five critical vulnerabilities in Dell’s ControlVault3 security hardware that could affect millions of business laptops worldwide.
The flaws, collectively dubbed “ReVault,” enable attackers to remotely hijack systems and maintain persistent access even after complete Windows reinstallation.
The vulnerabilities affect more than 100 models of actively-supported Dell laptops, primarily from the business-focused Latitude and Precision series.
These systems are extensively deployed across cybersecurity companies, government agencies, and enterprises requiring enhanced security features.
The affected devices utilize Dell’s ControlVault3 and ControlVault3+ firmware, which provides hardware-based security for storing passwords, biometric templates, and security codes.
Dell ControlVault operates through a dedicated daughter board called the Unified Security Hub (USH), which manages various security peripherals including fingerprint readers, smart card readers, and NFC devices.
This hardware-based approach was designed to provide enhanced security, but the discovered vulnerabilities turn this trusted component into a potential attack vector.
Critical Security Flaws Exposed
Talos researchers identified five distinct vulnerabilities spanning both the ControlVault firmware and its Windows APIs.
The technical flaws include multiple out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050), an arbitrary free vulnerability (CVE-2025-25215), a stack overflow (CVE-2025-24922), and an unsafe deserialization issue (CVE-2025-24919) affecting the Windows API components.
The most concerning aspect of these vulnerabilities is their potential for creating persistent malware implants.
According to Talos, attackers can leverage these flaws to modify the firmware permanently, creating hidden access points that survive operating system reinstallation and traditional security measures.
The ReVault vulnerabilities enable two primary attack scenarios. In post-compromise situations, non-administrative users can interact with the ControlVault firmware through compromised APIs to execute arbitrary code and extract cryptographic keys.
This capability allows attackers to establish persistent backdoors that remain undetected across system rebuilds.
Physical attack scenarios present equally serious risks. Attackers with physical laptop access can directly interface with the USH board using custom USB connectors, bypassing Windows login screens and full-disk encryption.
Particularly alarming is the potential to manipulate fingerprint authentication systems, allowing any fingerprint to unlock devices configured for biometric access.
The discovery highlights significant security gaps in hardware-based security solutions widely trusted by enterprise environments.
Organizations using affected Dell systems should immediately apply available patches and implement additional monitoring for unusual ControlVault behavior.
The vulnerabilities underscore the critical importance of securing firmware components that operate below traditional operating system security boundaries.
Dell has acknowledged the vulnerabilities through security advisory DSA-2025-053, providing patches for affected systems.
The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free
Source link
