ControlVault Vulnerabilities dubbed ReVault expose Dell business laptops to firmware-level attacks

Security researchers at Cisco Talos are reporting a of five vulnerabilities in Dell's ControlVault3 firmware and associated Windows APIs that could allow attackers to establish persistent access, bypass Windows login protections, and maintain control over affected systems even after complete operating system reinstallation. 

The vulnerability chain, collectively dubbed "ReVault," affects over 100 models of Dell business laptops. The vulnerabilities affect Broadcom BCM5820X series chips in the Dell ControlVault3 - a hardware-based security solution designed to provide a secure repository for storing passwords, biometric templates, and security codes within firmware. 

The system uses a daughter board called the Unified Security Hub (USH) that serves as a central hub connecting various security peripherals including fingerprint readers, smart card readers, and NFC devices. The USH operates independently from the computer's user-facing operating system (like Windows or Linux).

Vulnerabilities summary.

• CVE-2025-24311 (CVSS score 8.6) - an out-of-bounds read vulnerability in the cv_send_blockdata functionality that can lead to information leakage through specially crafted ControlVault API calls
• CVE-2025-25050 (CVSS score 8.8) - an out-of-bounds write vulnerability enabling arbitrary code execution through malicious API interactions
• CVE-2025-25215 (CVSS score 8.8) - an arbitrary memory free vulnerability in the cv_close functionality that allows attackers to forge fake sessions and trigger use-after-free conditions
• CVE-2025-24922 (CVSS score 8.8) - a stack-based buffer overflow vulnerability in the securebio_identify functionality that enables arbitrary code execution through crafted cv_objects
• CVE-2025-24919 (CVSS score 8.8) - an unsafe deserialization vulnerability in the cvhDecapsulateCmd functionality of ControlVault's Windows APIs that can lead to arbitrary code execution

The vulnerability chain requires initial compromise of the laptop: 

1. An attacker can then use a compromised account on the operating system to interact with the ControlVault firmware using associated APIs and permanently modify firmware and establish an undetectable implant.
2. An attacker with physical access to the device (stolen, lost or delivered for service) can directly access the USH board through a custom USB connector, bypassing full-disk encryption and login protections entirely.

The installed backdoor in the computer's ControlVault firmware that can't be noticed by the user and survives reinstallation of the operating system.

Dell acknowledged the vulnerabilities and issued security advisory DSA-2025-053. The patches for the flaw have become generally available through Dell's support website and Windows Update between March and May 2025.

The affected models span Latitude business laptops (models 5300 through 9520), Precision workstations (models 3470 through 7780), and Dell Pro business laptops, along with several rugged variants designed for challenging environments.

Dell strongly recommends that organizations prioritize firmware updates. The company has made patches available through both automated Windows Update mechanisms and direct download from Dell's support website.

For organizations unable to immediately apply firmware updates, Cisco Talos recommends disabling ControlVault services through Windows Service Manager if biometric or smartcard authentication is not required, enabling chassis intrusion detection in computer BIOS settings to flag physical tampering, and considering disabling fingerprint login when devices may be left unattended in unsecured locations.