Vulnerabilities in the ControlVault3 firmware affect over 100 Dell laptop models, allowing attackers to bypass Windows Login and install malware that remains on the system even after an OS reinstallation.
Dell ControlVault is a hardware security solution that stores passwords, biometric data, and security codes in the firmware on a dedicated add-on card called the Unified Security Hub (USH).
Cisco Talos analysts have identified five vulnerabilities in ControlVault3, collectively named ReVault. These vulnerabilities affect both the ControlVault3 firmware and Windows API interfaces on Dell Latitude and Precision laptops, which are aimed at business users. Such devices are quite popular in IT, as well as in government and industrial organizations, where smart cards, fingerprints, and NFC are widely used for authentication.
Among the ReVault vulnerabilities: two out-of-bound issues (CVE-2025-24311, CVE-2025-25050), an arbitrary free vulnerability (CVE-2025-25215), a stack overflow bug (CVE-2025-24922), and an insecure deserialization issue (CVE-2025-24919) affecting ControlVault APIs for Windows.
It has been reported that from March to May, Dell released patches to address ReVault issues in the ControlVault3 driver and firmware. A full list of affected laptop models can be found in the Dell security bulletin.
Cisco Talos experts explain that the combination of these vulnerabilities allows attackers to execute arbitrary code at the firmware level, enabling the creation of persistent implants on the device that can “survive” even a Windows reinstallation.
Additionally, with physical access to the device, the vulnerabilities could be exploited to bypass system login or escalate a local user’s privileges to an administrator level.
“A local attacker with physical access to a user’s laptop can open it and gain direct access to the USH board via USB, using a custom connector,” experts explain. “After that, all of the previously described vulnerabilities become available to the attacker, without needing to log into the system or know the disk encryption password.”
Successful exploitation of ReVault vulnerabilities also allowed manipulation of fingerprint authentication, forcing the target device to accept any fingerprint, not just those belonging to legitimate users.
Cisco Talos experts recommend Dell laptop owners to install updates via Windows Update or the Dell website, disable unused security peripheral devices, including fingerprint readers, smart cards, and NFC, and also to disable fingerprint login in high-risk situations.
To mitigate the potential consequences of physical attacks, researchers recommend enabling the chassis intrusion detection feature in the BIOS settings to record attempts of physical tampering with the device, as well as Enhanced Sign-in Security (ESS) in Windows to detect firmware discrepancies in ControlVault.
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →