ReVault Attack
Cybersecurity researchers have revealed a serious set of security vulnerabilities in Dell's ControlVault3 firmware and related Windows APIs. If exploited, these flaws could let attackers bypass Windows login, steal cryptographic keys, and maintain long-term access even after an operating system reinstall by implanting malicious, stealthy code directly into the firmware.
Table of Contents
Who’s at Risk?
Over 100 Dell laptop models using Broadcom BCM5820X series chips are affected. While no active exploitation has been detected so far, the impact is particularly concerning for industries that rely on strong authentication through smart card readers or near-field communication (NFC) devices.
ControlVault is designed to securely store passwords, biometric templates, and security codes in firmware. Unfortunately, chaining these flaws allows attackers to escalate privileges, bypass authentication, and remain hidden even after system wipes or updates.
The Five ReVault Vulnerabilities
Researchers have assigned the codename ReVault to this group of flaws. Together, they form a powerful post-compromise persistence method capable of covert access to high-value targets.
- CVE-2025-25050 (CVSS 8.8) – Out-of-bounds write in cv_upgrade_sensor_firmware
- CVE-2025-25215 (CVSS 8.8) – Arbitrary free in cv_close
- CVE-2025-24922 (CVSS 8.8) – Stack-based buffer overflow in securebio_identify
- CVE-2025-24311 (CVSS 8.4) – Out-of-bounds read in cv_send_blockdata
- CVE-2025-24919 (CVSS 8.1) – Deserialization of untrusted input in cvhDecapsulateCmd
Each of these can lead to severe outcomes ranging from arbitrary code execution to information leaks.
Physical Access: A Direct Shortcut for Attackers
Even without remote exploitation, a local attacker with physical access could open the laptop and directly target the Unified Security Hub (USH) board. This would allow exploitation of any of the vulnerabilities without logging in or knowing the full-disk encryption password.
This makes ReVault dangerous not only as a remote persistence technique but also as a physical compromise method for bypassing Windows login or granting any local user administrative privileges.
Reducing the Risk
Security experts advise users to apply Dell's official patches without delay, disable ControlVault services when biometric readers, smart card readers, or NFC readers are not in use, and, in high-risk environments, completely turn off fingerprint login to reduce potential exposure. These measures help close known security gaps that attackers could exploit to gain unauthorized access or maintain persistence on compromised devices. By limiting the use of potentially vulnerable authentication hardware, organizations can significantly reduce their attack surface. Regular security audits and vigilant monitoring should also be part of the broader defense strategy to ensure ongoing protection against emerging threats.
