Security Vulnerabilities Found in Dell’s ControlVault3 Firmware
Date: August 9, 2025
Author: Ravie Lakshmanan
Tags: Vulnerability, Hardware Security
Recent cybersecurity findings have revealed significant vulnerabilities within Dell’s ControlVault3 firmware. These flaws could potentially allow attackers to bypass Windows login, extract sensitive cryptographic keys, and maintain access to compromised systems, even after a fresh installation of the operating system. The implications of these vulnerabilities reach far into the realm of hardware security, affecting a wide range of Dell laptop models.
Overview of Vulnerabilities
Codenamed ReVault by Cisco Talos, these vulnerabilities impact over 100 Dell laptop models equipped with Broadcom BCM5820X series chips. Although there is currently no evidence suggesting that these vulnerabilities have been exploited in the wild, their existence raises serious concerns about the security frameworks in place for devices that utilize ControlVault technology.
ControlVault and Its Importance
ControlVault is designed to be a hardware-based security solution, primarily used in industries that require high levels of security for user authentication. This technology effectively manages and stores sensitive information, such as passwords, biometric data, and security codes, within its firmware. It is particularly valuable in settings that utilize smart card readers and near-field communication (NFC) readers.
Attack Vector and Exploitability
During the Black Hat USA security conference, detailed methodologies were shared on how cybercriminals could leverage these vulnerabilities. Attackers can exploit them to escalate privileges after gaining initial access, bypassing authentication controls to establish persistence on compromised systems. This persistence can endure even through operating system updates or reinstalls, making it a formidable threat for enterprises that require robust security measures.
Key Vulnerabilities Identified
Cisco Talos outlined several critical vulnerabilities that constitute the ReVault threat:
-
CVE-2025-25050: (CVSS score: 8.8) An out-of-bounds write vulnerability in the
cv_upgrade_sensor_firmwarefunction could enable unauthorized out-of-bounds writes. -
CVE-2025-25215: (CVSS score: 8.8) An arbitrary free vulnerability in the
cv_closefunction may lead to unauthorized memory manipulation. -
CVE-2025-24922: (CVSS score: 8.8) A stack-based buffer overflow in the
securebio_identifyfunction could allow arbitrary code execution. -
CVE-2025-24311: (CVSS score: 8.4) An out-of-bounds read vulnerability in the
cv_send_blockdatafunction could result in unintentional information leakage. - CVE-2025-24919: (CVSS score: 8.1) A deserialization of untrusted input vulnerability in the
cvhDecapsulateCmdfunction may facilitate arbitrary code execution.
Local Exploitation Risks
Cisco Talos has also highlighted the risk posed by local attackers. If someone gains physical access to a user’s laptop, they can dismantle it and access the Unified Security Hub (USH) board. This access allows for the exploitation of any of the identified vulnerabilities without needing user credentials or a full-disk encryption password.
Philippe Laulheret, a researcher at Cisco Talos, emphasized the seriousness of the ReVault attack, describing it as a “post-compromise persistence technique” that can bypass Windows login. He noted that it could grant local users admin or system-level privileges with minimal effort.
Recommendations for Users
To protect against these vulnerabilities, it is imperative that users take proactive measures:
-
Apply Updates: Users should immediately install any security fixes provided by Dell.
-
Disable Unused Services: If peripherals like fingerprint readers, smart card readers, or NFC readers are not in use, it is advisable to disable ControlVault services to reduce exposure.
- Turn Off Fingerprint Login: In environments deemed high-risk, it may be wise to disable fingerprint login options altogether.
By staying vigilant and implementing these recommendations, users can help protect their systems from potential exploitation stemming from the vulnerabilities within Dell’s ControlVault3 firmware.
