Vulnerability Management, Patch/Configuration Management, Threat Intelligence

Dell fixes 5 firmware vulnerabilities affecting more than 100 laptop models

Windows Key on a new Dell Latitude 7420 laptop keyboard. Several Dell Latitude models are among those affected by "ReVault" vulnerabilities.

(Credit: Daniel CHETRONI – stock.adobe.com)

Dell patched a series of five high-severity firmware vulnerabilities affecting more than 100 Dell laptop models.

The vulnerabilities affect the Dell ControlVault3 and ControlVault3+ features, which offer “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware,” according to Dell. This feature is present in many business-focused laptop models such as those in Dell's Latitude and Precision series.

The feature is driven by a “Unified Security Hub” (USH) system-on-a-chip (SoC) manufactured by Broadcom, which connects to security-related peripherals including fingerprint readers, smart card readers and near-field communication (NFC) readers.

Cisco Talos discovered five vulnerabilities affecting the USH and ControlVault, with high CVSS scores ranging from 8.1 to 8.8. These vulnerabilities, dubbed “ReVault,” could facilitate post-compromise persistence for attackers or even enable unauthorized logins by attackers with physical access to the laptop.

The vulnerabilities are tracked as CVE-2025-24311, an out-of-bounds read flaw, CVE-2025-25050, an out-of-bounds write flaw, CVE-2025-25215, an arbitrary free flaw, CVE-2025-24922, a stack-based buffer overflow flaw and CVE-2025-24919, a deserialization of untrusted input flaw.

Many of the ReVault vulnerabilities can be exploited via a crafted call to the ControlVault API. In a post-compromise scenario, the flaws can enable a non-administrative user to exploit ControlVault’s APIs to execute arbitrary code on its firmware.

This can enable attacker persistence through the leakage of security key material and tampering with the ControlVault firmware, which can survive reinstallation of the Windows operating system.

Additionally, if an attacker has physical access to an affected device, the USH SoC can be manipulated using a custom connector to connect over USB.

The attacker could then manage to log in, for example, by manipulating the ControlVault firmware to accept any fingerprint from the device’s fingerprint reader, as Cisco Talos demonstrated in a video using a plastic finger wrapped in a green onion.

Users of the affected devices, which are listed in Dell’s advisory, must install the updated firmware to remediate the vulnerabilities. This can be done automatically via Windows Update.

Cisco Talos also noted that users can disable ControlVault if they do not use any of the associated peripherals, such as a fingerprint, smart card or NFC reader. Windows’ Enhanced Sign-in Security (ESS) feature may also provide additional protection against physical or firmware tampering.

Detecting exploitation of the ReVault vulnerabilities or similar hardware-based attacks can be achieved by enabling chassis intrusion detection in the BIOS of some laptop models. Users should also look for unexpected Windows Biometric Service or Credential Vault service crashes, which could indicate a compromise.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BotnetBrute ForceBugCovert ChannelsDeauthentication AttackDeepfakeDisruptionDistributed ScansDomain HijackingDumpster Diving

You can skip this ad in 5 seconds