A firmware-level security nightmare is unfolding across millions of Dell laptops worldwide. The devices trusted by government agencies, cybersecurity professionals, and enterprise organizations to protect their most sensitive data are now vulnerable to a sophisticated attack vector that could render traditional security measures useless. Dubbed “ReVault,” this collection of critical vulnerabilities strikes at the heart of Dell’s ControlVault3 firmware, targeting the very Broadcom BCM5820X security chip designed to safeguard biometric data, passwords, and cryptographic keys. The stakes couldn’t be higher—attackers who exploit these flaws can establish persistent, nearly undetectable footholds that survive even complete system reinstallations.
ReVault Vulnerabilities
Cisco Talos researchers have identified five distinct vulnerabilities in the ControlVault3 and ControlVault3+ systems:
- CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage.
- CVE-2025-25050: An out-of-bounds write flaw allowing code execution.
- CVE-2025-25215: An arbitrary memory free vulnerability.
- CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution.
- CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs.
All these vulnerabilities have received high CVSS scores, indicating their severity. The combination of these flaws can lead to dangerous attack scenarios with far-reaching consequences.
Affected Products
The vulnerabilities affect more than 100 different models of Dell laptops, primarily from the business-focused Latitude and Precision series. These devices are commonly used in environments where enhanced security features like smartcard and NFC authentication are essential. The affected Dell ControlVault3 versions are prior to 5.15.10.14, and the affected Dell ControlVault3+ versions are prior to 6.2.26.36.
Mitigation & Recommendations
Dell has responded to these vulnerabilities by releasing firmware updates. It is strongly recommended that organizations and individuals take the following steps:
- Apply firmware updates immediately: Update Dell ControlVault3 to version 5.15.10.14 or later, and Dell ControlVault3+ to version 6.2.26.36 or later.
- Check for updates: Obtain updates through Windows Update and Dell’s support website.
- Refer to Dell Security Advisory DSA-2025-053: Consult the advisory for complete details on affected models and remediation procedures.
Impact & Exploit Potential
The ReVault vulnerabilities pose a significant threat due to their potential for establishing a persistent compromise that remains undetected even after a complete Windows reinstallation. Attackers can exploit these vulnerabilities to:
- Steal passwords and biometric data: By exploiting the firmware-level access, attackers can bypass traditional security measures and gain access to sensitive credentials, employing the T1555 – Credentials from Password Stores technique.
- Maintain persistent access: The vulnerabilities allow for the creation of implants that can remain in the ControlVault firmware, providing a persistent backdoor even after OS reinstallation. This involves the T1542 – Pre-OS Boot technique.
- Execute devastating physical attacks: With brief physical access, attackers can directly access the USH board via USB, bypassing system login credentials and full-disk encryption passwords.
- Arbitrary code execution: A non-administrative user can interact with ControlVault firmware through Windows APIs to trigger arbitrary code execution, allowing attackers to extract cryptographic keys and permanently modify the firmware.
Researchers have even demonstrated that tampered ControlVault firmware could be configured to accept any fingerprint for authentication, including non-human objects, highlighting a complete breakdown of biometric security controls.
TTPs
The tactics, techniques, and procedures (TTPs) associated with these vulnerabilities include:
- TA0006 – Credential Access: Attackers aim to steal sensitive credentials stored within the firmware.
- TA0003 – Persistence: Establishing a persistent presence within the firmware to ensure continued access.
- TA0004 – Privilege Escalation: Gaining higher-level permissions through exploiting firmware flaws.
- TA0001 – Initial Access: Exploiting vulnerabilities to gain initial access to the system.
- T1555 – Credentials from Password Stores: Accessing stored credentials by exploiting firmware vulnerabilities.
- T1542 – Pre-OS Boot: Modifying the pre-OS environment to maintain persistence.
- T1068 – Exploitation for Privilege Escalation: Elevating privileges through exploitation of the ControlVault firmware.
- T1190 – Exploit Public-Facing Application: Gaining access through exploiting public-facing applications to interact with the vulnerable firmware.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.