Security researchers from Cisco Talos have discovered five major security vulnerabilities in the firmware of Dell laptops. These flaws affect Dell’s ControlVault3 and ControlVault3+ chips, which are responsible for handling sensitive operations like biometric authentication and password storage. The vulnerabilities have been named “ReVault” and impact over 100 Dell Latitude and Precision laptop models commonly used by professionals and organizations in high-security environments.
Dell’s ControlVault is meant to be a secure hardware module that manages fingerprint scanners, smart card readers, NFC devices, and stores important credentials like encryption keys. It acts as a dedicated security chip to protect users from software-level attacks. Ironically, the vulnerabilities discovered allow attackers to exploit this same chip, turning a trusted layer of protection into a dangerous backdoor for hackers.
The five vulnerabilities identified are serious and include memory corruption and unsafe code execution flaws. Two of the issues, CVE-2025-24311 and CVE-2025-25050, are out-of-bounds memory access bugs. CVE-2025-25215 involves an arbitrary free operation, CVE-2025-24922 is a stack-based buffer overflow, and CVE-2025-24919 is a Windows API-related unsafe deserialization vulnerability. Each of these can be used to hijack the firmware, allowing attackers to execute arbitrary code.
Cisco researchers explained that attackers could exploit these flaws in two main ways. The first method is through remote access, where even a normal (non-admin) Windows user could run a specially crafted process to hijack the firmware. This could allow a hacker to implant malicious code that remains hidden, survives OS reinstalls, and becomes extremely hard to detect or remove using regular antivirus tools.
The second method involves physical access to the laptop. If an attacker gets hold of the machine, they can open it up and connect directly to the security chip via USB using a custom connector. From there, they can interact with the firmware and completely bypass the Windows login process, even if full-disk encryption is enabled. They can also tamper with fingerprint recognition and force the system to accept any fingerprint input.
In one proof-of-concept demo, Cisco Talos researchers even showed that the compromised fingerprint system could be tricked by scanning a spring onion highlighting just how dangerous these vulnerabilities are. This type of hardware-level attack can completely defeat traditional security layers like login passwords and biometric authentication.
These findings are alarming because many Dell laptops using ControlVault are deployed in highly sensitive environments, including government agencies, corporate offices, and cybersecurity firms. A successful attack exploiting ReVault vulnerabilities could give hackers long-term, undetected access to sensitive systems, posing a major risk to data security.
Dell responded quickly to Cisco’s findings and released firmware updates between March and May 2025 to patch the vulnerabilities. The full list of affected devices and their fixes are documented in Dell’s official advisory DSA-2025-053. Users and IT admins are strongly advised to apply the updates immediately to protect their systems.
To further reduce risk, users can disable unused features like fingerprint readers, smart cards, and NFC. It’s also recommended to turn off biometric login on high-risk machines, enable chassis intrusion detection in BIOS (if supported), and use Windows Enhanced Sign-in Security (ESS) to detect unauthorized changes to the firmware. Unusual service crashes or DLL activity like “bcmbipdll.dll” loading unexpectedly could be signs of compromise.
These firmware-level vulnerabilities serve as a reminder that even the most secure-looking hardware solutions can have hidden flaws. If you or your organization uses any of the affected Dell models, it’s crucial to act quickly, update the firmware, and implement additional security steps to prevent long-term damage or data theft.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
