Cybersecurity researchers have uncovered multiple security flaws in Dell’s ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware.
The vulnerabilities have been codenamed ReVault by Cisco Talos. More than 100 models of Dell laptops running Broadcom BCM5820X series chips are affected. There is no evidence that the vulnerabilities have been exploited in the wild.
Industries that require heightened security when logging in, via smart card readers or near-field communication (NFC) readers, are likely to use ControlVault devices in their settings. ControlVault is a hardware-based security solution that offers a secure way to store passwords, biometric templates, and security codes within the firmware.
Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations.
Together, these vulnerabilities create a potent remote post-compromise persistence method for covert access to high-value environments. The identified vulnerabilities are as follows –
- CVE-2025-25050 (CVSS score: 8.8) – An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality that could lead to an out-of-bounds write
- CVE-2025-25215 (CVSS score: 8.8) – An arbitrary free vulnerability exists in the cv_close functionality that could lead to an arbitrary free
- CVE-2025-24922 (CVSS score: 8.8) – A stack-based buffer overflow vulnerability exists in the securebio_identify functionality that could lead to arbitrary code execution
- CVE-2025-24311 (CVSS score: 8.4) – An out-of-bounds read vulnerability exists in the cv_send_blockdata functionality that could lead to an information leak
- CVE-2025-24919 (CVSS score: 8.1) – A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality that could lead to arbitrary code execution
The cybersecurity company also pointed out that a local attacker with physical access to a user’s laptop could pry it open and access the Unified Security Hub (USH) board, allowing an attacker to exploit any of the five vulnerabilities without having to log in or possess a full-disk encryption password.
“The ReVault attack can be used as a post-compromise persistence technique that can remain even across Windows reinstalls,” Cisco Talos researcher Philippe Laulheret said. “The ReVault attack can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges.”
To mitigate the risk posed by these flaws, users are advised to apply the fixes provided by Dell; disable ControlVault services if peripherals like fingerprint readers, smart card readers, and near-field communication (NFC) readers are not being used; and turn off fingerprint login in high risk situations.
