Vulnerabilities in the ControlVault3 firmware affect over 100 Dell laptop models, allowing attackers to bypass Windows Login and install malware that remains on the system even after an OS reinstallation.
Dell ControlVault is a hardware security solution that stores passwords, biometric data, and security codes in the firmware on a dedicated add-on card called the Unified Security Hub (USH).
Cisco Talos analysts have identified five vulnerabilities in ControlVault3, collectively named ReVault. These vulnerabilities affect both the ControlVault3 firmware and Windows API interfaces on Dell Latitude and Precision laptops, which are aimed at business users. Such devices are quite popular in IT, as well as in government and industrial organizations, where smart cards, fingerprints, and NFC are widely used for authentication.
Among the ReVault vulnerabilities: two out-of-bound issues (CVE-2025-24311, CVE-2025-25050), an arbitrary free vulnerability (CVE-2025-25215), a stack overflow bug (CVE-2025-24922), and an insecure deserialization issue (CVE-2025-24919) affecting ControlVault APIs for Windows.
It has been reported that from March to May, Dell released patches to address ReVault issues in the ControlVault3 driver and firmware. A full list of affected laptop models can be found in the Dell security bulletin.
Cisco Talos experts explain that the combination of these vulnerabilities allows attackers to execute arbitrary code at the firmware level, enabling the creation of persistent implants on the device that can “survive” even a Windows reinstallation.
Additionally, with physical access to the device, the vulnerabilities could be exploited to bypass system login or escalate a local user’s privileges to an administrator level.
“A local attacker with physical access to a user’s laptop can open it and gain direct access to the USH board via USB, using a custom connector,” experts explain. “After that, all of the previously described vulnerabilities become available to the attacker, without needing to log into the system or know the disk encryption password.”
Successful exploitation of ReVault vulnerabilities also allowed manipulation of fingerprint authentication, forcing the target device to accept any fingerprint, not just those belonging to legitimate users.
Cisco Talos experts recommend Dell laptop owners to install updates via Windows Update or the Dell website, disable unused security peripheral devices, including fingerprint readers, smart cards, and NFC, and also to disable fingerprint login in high-risk situations.
To mitigate the potential consequences of physical attacks, researchers recommend enabling the chassis intrusion detection feature in the BIOS settings to record attempts of physical tampering with the device, as well as Enhanced Sign-in Security (ESS) in Windows to detect firmware discrepancies in ControlVault.