ReVault flaws let attackers bypass Windows login or place malware implants on Dell laptops – Source: www.csoonline.com

Flaws in the firmware that ships with more than 100 models of Dell business laptops compromise the hardware designed to secure passwords and biometric data.

Vulnerabilities in the ControlVault3 (CV) firmware in Dell laptops, discovered by security researchers from Cisco Talos, allow attackers with physical access to bypass Windows login on vulnerable laptops or let a local user gain admin privileges.

The most serious of the five vulnerabilities affects the Windows API associated with ControlVault3 and creates a means for attackers to install persistent malware capable of surviving even an operating system reinstallation.

Fortunately, all five of the vulnerabilities, collectively known as ReVault, were addressed through a series of Dell ControlVault3 driver and firmware updates released by the company between March and May 2025.

Researchers at Cisco Talos released details of the vulnerabilities in a technical blog post on Tuesday, ahead of a presentation at the Black Hat USA conference on Wednesday, August 6.

Not so secure enclave

ControlVault3 offers a secure hardware enclave within the system firmware that stores sensitive data such as passwords, biometric templates (like fingerprint data), and security codes. The technology, which comes as a daughter board known as the Unified Security Hub (USH) that connects to security peripherals such as a fingerprint reader or smart card reader, is primarily used in Dell business laptops such as the Latitude and Precision series, and Rugged variants of these models.

Potentially affected laptops are widely used in the cybersecurity industry, across government and in industrial environments.

Planting implants

An investigation by Cisco Talos uncovered two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050) an arbitrary free (CVE-2025-25215) and a stack-overflow flaw (CVE-2025-24922), all affecting the ControlVault firmware.

The same researchers also discovered an unsafe deserialization flaw (CVE-2025-24919) affecting ControlVault’s Windows APIs. This vulnerability makes it possible to trigger arbitrary code execution on the ControlVault firmware, allowing the extraction of key material essential to the security of the device and in turn opening the door to modifying its firmware.

“This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a threat actor’s post-compromise strategy,” Philippe Laulheret, senior vulnerability researcher at Cisco Talos, warned.

USH board hardware exploitation

Other risks stem from a potential attack where an attacker with physical access to a vulnerable laptop would pry it open and directly access the USH board over USB with a custom connector. In this scenario, an attacker could hack the device without needing either login credentials or the full-disk encryption password.

“While chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering,” Cisco Talos researchers noted.

In cases where a system is configured so that it is unlocked with a user’s fingerprint, the vulnerabilities could be exploited to tamper with the firmware and allow it to accept any fingerprint rather than only that of a legitimate user, setting up the possibility of Mission Impossible-style hack scenarios.

Mitigation

The first step in mitigating all the flaws is to install the latest version of the ControlVault3 firmware. “CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior,” Cisco Talos noted.

Enterprises that don’t use security peripherals (fingerprint reader, smart card readers, or NFC readers) should consider disabling CV services as a precaution. Disabling fingerprint login when risks are heightened, such as during offsite visits or while traveling, offers another potential mitigation.

Cisco Talos concluded that its research offers a stark example of why it’s important to consider the security of hardware components of a system rather than only focusing on its software.

“Vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication,” Cisco Talos‘ Laulheret concluded.