Pierluigi Paganini August 07, 2025

ReVault flaws in Dell ControlVault3 firmware allow firmware implants and Windows login bypass on 100+ laptop models via physical access.

Cisco Talos reported five vulnerabilities collectively named ReVault (tracked as CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, and CVE-2025-24919) in Dell’s ControlVault3 firmware that expose over 100 laptop models to firmware implants and Windows login bypass via physical access.

On June 13, Dell disclosed these vulnerabilities impacting Dell Pro, Latitude, and Precision laptop models.

ControlVault3 is a hardware-based security module found in many Dell laptops, including Latitude, Precision, and XPS models. It provides a secure environment for storing and processing sensitive data such as user passwords, biometric information, security codes, and encryption keys.

“The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.” reads the advisory published by Talos. “The ReVault attack can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges.” 

Below are the descriptions of the flaws:

• CVE-2025-24311 (CVSS score of 8.4): An out-of-bounds read vulnerability exists in the cv_send_blockdata functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an information leak. An attacker can trigger the flaw by issuing an API call.
• CVE-2025-25215 (CVSS score of 8.8): An arbitrary free vulnerability exists in the cv_close functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an arbitrary free. An attacker can trigger this vulnerability by forging a fake session.
• CVE-2025-24922 (CVSS score of 8.8): A stack-based buffer overflow vulnerability exists in the securebio_identify functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault3 Plus prior to 6.2.26.36. A specially crafted malicious cv_object can lead to a arbitrary code execution. An attacker can issue an API call to trigger this vulnerability.
• CVE-2025-25050 (CVSS score of 8.8): An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality of Dell ControlVault3 prior to 5.15.10.14 and Dell ControlVault 3 Plus prior to 6.2.26.36. A specially crafted ControlVault API call can lead to an out-of-bounds write. An attacker can issue an API call to trigger this vulnerability.
• CVE-2025-24919 (CVSS score of 8.1): A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

The impact of these vulnerabilities is severe, due to both the lack of standard security mitigations and the ability to chain certain flaws. In one attack scenario, a non-admin Windows user could exploit the vulnerabilities to execute arbitrary code in the firmware. This could expose sensitive cryptographic material and allow permanent firmware modification, potentially enabling a hidden implant that could later be used to compromise the system further. In a second scenario presented by the researchers, a local attacker with physical access could bypass login and disk encryption by connecting directly to the firmware hardware, even tricking the system into accepting fake fingerprints if biometric login is enabled.

To reduce the risk of attack, Talos advises keeping systems updated with the latest firmware, which can be installed via Windows Update or manually from Dell’s website. If security peripherals like fingerprint or smart card readers aren’t in use, ControlVault (CV) services or devices can be disabled through the Service or Device Manager. In high-risk situations, Talos researchers also recommend disabling fingerprint login. Windows’ Enhanced Sign-in Security (ESS) may help detect tampered firmware. For detection, enabling chassis intrusion alerts in BIOS can flag physical tampering, and unusual crashes in biometric or credential services may indicate compromise. Cisco Secure Endpoint can also detect suspicious behavior linked to CV exploitation.

“These findings highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software. As Talos demonstrated, vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication.” concludes Talos. “Staying vigilant, patching your systems and proactively assessing risk are essential to safeguard your systems against evolving threats. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dell ControlVault3)