Security researchers at Cisco Talos have revealed a set of five critical vulnerabilities in Dell’s ControlVault3 firmware and its associated Windows APIs. Dubbed “ReVault”, the flaws affect over 100 models of widely used Dell Latitude and Precision laptops.
ControlVault, a dedicated security chip, is designed to safeguard sensitive biometric data, passwords, and encryption keys. However, these new vulnerabilities expose how this secure enclave can be compromised.
ReVault vulnerabilities range from unsafe deserialization to memory manipulation bugs, enabling attackers to gain access to compromised systems, even after operating system reinstalls. In physical attacks, threat actors can bypass login mechanisms or plant malicious firmware undetectable by antivirus software.
Despite available patches, many systems remain unprotected, emphasizing the need for urgent mitigation.
Why It Matters: ControlVault is a core security feature for many Dell laptops in high-trust environments. A breach at the firmware level undermines advanced authentication measures, rendering systems vulnerable. These findings highlight the critical importance of securing hardware firmware often overlooked in standard security protocols.
- Five CVEs Uncover Firmware and API Weaknesses Cisco Talos identified five vulnerabilities in Dell’s ControlVault3 and associated APIs:
- CVE-2025-24919 (unsafe deserialization),
- CVE-2025-24311 (out-of-bounds read),
- CVE-2025-25050 (out-of-bounds write),
- CVE-2025-24922 (stack buffer overflow),
- CVE-2025-25215 (arbitrary memory free).
- Post-Compromise Persistence and Firmware Implantation: Even without admin privileges, users can interact with the ControlVault firmware through its Windows APIs. This loophole gives attackers the chance to insert persistent malware that can survive even if Windows is completely reinstalled. It’s a serious threat to anyone dealing with post-compromise scenarios.
- Hands-On Hack Can Bypass Fingerprints and Logins: If someone has physical access to a vulnerable laptop, they can tap directly into the Unified Security Hub using a custom USB connector. From there, they can tamper with the firmware, override biometric checks like fingerprints, and bypass login protections without authentication.
- Patches Are Out—But Many Devices May Still Be Unprotected: Dell began rolling out updates in March 2025 and notified users in June. However, complexities surrounding firmware updates, especially in large organizations, leave the potential for many vulnerable devices.
- Recommended Mitigation Steps Include Firmware Updates and Disabling CV: Talos urges users to update their firmware via Dell’s support page or Windows Update. Cisco Talos recommends checking for the latest firmware updates via Dell’s support site or Windows Update. Organizations without security features like fingerprint or smart card login should consider disabling ControlVault services through Windows settings. Enabling chassis intrusion detection in BIOS and watching for unusual activity in Windows logs can also help spot signs of tampering.
Go Deeper -> ReVault! When your SoC turns against you… – Talos
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
