Recent research has uncovered a series of critical vulnerabilities, collectively termed ReVault, affecting millions of Dell laptops worldwide. These flaws reside within the Broadcom BCM5820X security chip integrated into Dell’s ControlVault3 firmware, potentially allowing attackers to steal sensitive data and maintain persistent access to compromised systems.
Scope of the Vulnerability
The ReVault vulnerabilities impact over 100 Dell laptop models, predominantly from the Latitude and Precision series. These models are extensively used in sectors requiring high security, such as government agencies, cybersecurity firms, and enterprises. The affected devices often incorporate advanced security features like smartcard and NFC authentication, making them prevalent in environments where data protection is paramount.
Understanding Dell ControlVault
Dell’s ControlVault is a hardware-based security solution designed to securely store passwords, biometric templates, and security codes within the firmware. It operates on a separate daughter board known as the Unified Security Hub (USH), which interfaces with various security peripherals, including fingerprint readers, smart card readers, and NFC devices.
Details of the ReVault Vulnerabilities
Cisco Talos researchers have identified five distinct vulnerabilities within the ControlVault3 and ControlVault3+ systems:
– CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage.
– CVE-2025-25050: An out-of-bounds write flaw allowing code execution.
– CVE-2025-25215: An arbitrary memory free vulnerability.
– CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution.
– CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs.
Each of these vulnerabilities has received a Common Vulnerability Scoring System (CVSS) score exceeding 8.0, categorizing them as high-severity threats. The combination of these flaws creates particularly dangerous attack scenarios with potentially far-reaching consequences.
Implications of the Vulnerabilities
One of the most alarming aspects of the ReVault vulnerabilities is their potential to establish a persistent compromise that remains undetected even after a complete Windows reinstallation. Researchers have demonstrated that a non-administrative user can interact with ControlVault firmware through Windows APIs to trigger arbitrary code execution. This access allows attackers to extract cryptographic keys and permanently modify the firmware.
According to the Talos team, this scenario creates the risk of an implant that could stay unnoticed in a laptop’s ControlVault firmware and eventually be used as a pivot back onto the system in the case of a threat actor’s post-compromise strategy.
The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level, where traditional antivirus solutions cannot detect or remove it.
Physical Attack Vector
Beyond remote exploitation, the vulnerabilities also enable devastating physical attacks. Researchers demonstrated that an attacker with brief physical access to a laptop can open the chassis and directly access the USH board via USB using a custom connector. This approach bypasses the need for system login credentials or knowledge of full-disk encryption passwords.
In a striking demonstration, researchers showed how tampered ControlVault firmware could be configured to accept any fingerprint for authentication, including non-human objects like vegetables. A video released by Cisco Talos shows a spring onion successfully unlocking a compromised Dell laptop, highlighting the complete breakdown of biometric security controls.
Dell’s Response and Mitigation Measures
Dell responded promptly to the vulnerability disclosure, collaborating with Broadcom to develop and distribute firmware updates beginning in March 2025. The company notified customers of the critical security issues on June 13, 2025, and has been releasing patches through both Windows Update and Dell’s support website.
A Dell spokesperson stated that, working with their firmware provider, they addressed the issues quickly and transparently disclosed the reported vulnerabilities in accordance with their Vulnerability Response Policy. The company emphasized that no evidence of active exploitation has been discovered in the wild.
The vulnerabilities affect Dell ControlVault3 versions prior to 5.15.10.14 and Dell ControlVault3+ versions prior to 6.2.26.36. Organizations are strongly urged to apply firmware updates immediately, as the automated deployment through Windows Update may not reach all enterprise environments with restricted update policies.
These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software. Staying vigilant, patching your systems, and proactively assessing risk are essential to safeguard your systems against evolving threats.
Dell Security Advisory DSA-2025-053 contains complete details on affected models and remediation procedures. Organizations can access updated firmware through Dell’s support website or via Windows Update mechanisms.
