{"id":14573,"date":"2025-08-06T20:59:07","date_gmt":"2025-08-06T20:59:07","guid":{"rendered":"https:\/\/newestek.com\/?p=14573"},"modified":"2025-08-06T20:59:07","modified_gmt":"2025-08-06T20:59:07","slug":"revault-flaws-let-attackers-bypass-windows-login-or-place-malware-implants-on-dell-laptops","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14573","title":{"rendered":"ReVault flaws let attackers bypass Windows login or place malware implants on Dell laptops"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Flaws in the firmware that ships with more than 100 models of Dell business laptops compromise the hardware designed to secure passwords and biometric data.<\/p>\n

Vulnerabilities in the ControlVault3 (CV) firmware in Dell laptops, discovered by security researchers from Cisco Talos, allow attackers with physical access to bypass Windows login on vulnerable laptops or let a local user gain admin privileges.<\/p>\n

The most serious of the five vulnerabilities affects the Windows API associated with ControlVault3 and creates a means for attackers to install persistent malware capable of surviving even an operating system reinstallation.<\/p>\n

Fortunately, all five of the vulnerabilities, collectively known as ReVault, were addressed through a series of Dell ControlVault3 driver and firmware updates<\/a> released by the company between March and May 2025.<\/p>\n

Researchers at Cisco Talos released details of the vulnerabilities in a technical blog post<\/a> on Tuesday, ahead of a presentation at the Black Hat USA conference<\/a> on Wednesday, August 6.<\/p>\n

Not so secure enclave<\/h2>\n

ControlVault3 offers a secure hardware enclave within the system firmware that stores sensitive data such as passwords, biometric templates (like fingerprint data), and security codes. The technology, which comes as a daughter board known as the Unified Security Hub (USH) that connects to security peripherals such as a fingerprint reader or smart card reader, is primarily used in Dell business laptops such as the Latitude and Precision series, and Rugged variants of these models.<\/p>\n

Potentially affected laptops<\/a> are widely used in the cybersecurity industry, across government and in industrial environments.<\/p>\n

Planting implants<\/h2>\n

An investigation by Cisco Talos uncovered two out-of-bounds vulnerabilities (CVE-2025-24311<\/a>, CVE-2025-25050<\/a>) an arbitrary free (CVE-2025-25215<\/a>) and a stack-overflow flaw (CVE-2025-24922<\/a>), all affecting the ControlVault firmware.<\/p>\n

The same researchers also discovered an unsafe deserialization flaw (CVE-2025-24919<\/a>) affecting ControlVault\u2019s Windows APIs. This vulnerability makes it possible to trigger arbitrary code execution on the ControlVault firmware, allowing the extraction of key material essential to the security of the device and in turn opening the door to modifying its firmware.<\/p>\n

\u201cThis creates the risk of a so-called implant that could stay unnoticed in a laptop\u2019s CV firmware and eventually be used as a pivot back onto the system in the case of a threat actor\u2019s post-compromise strategy,\u201d Philippe Laulheret<\/a>, senior vulnerability researcher at Cisco Talos, warned.<\/p>\n

USH board hardware exploitation<\/h2>\n

Other risks stem from a potential attack where an attacker with physical access to a vulnerable laptop would pry it open and directly access the USH board over USB with a custom connector. In this scenario, an attacker could hack the device without needing either login credentials or the full-disk encryption password.<\/p>\n

\u201cWhile chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering,\u201d Cisco Talos researchers noted.<\/p>\n

In cases where a system is configured so that it is unlocked with a user\u2019s fingerprint, the vulnerabilities could be exploited to tamper with the firmware and allow it to accept any fingerprint rather than only that of a legitimate user, setting up the possibility of Mission Impossible-style hack scenarios.<\/p>\n

Mitigation<\/h2>\n

The first step in mitigating all the flaws is to install the latest version of the ControlVault3 firmware. \u201cCV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior,\u201d Cisco Talos noted.<\/p>\n

Enterprises that don\u2019t use security peripherals (fingerprint reader, smart card readers, or NFC readers) should consider disabling CV services as a precaution. Disabling fingerprint login when risks are heightened, such as during offsite visits or while traveling, offers another potential mitigation.<\/p>\n

Cisco Talos concluded that its research offers a stark example of why it\u2019s important to consider the security of hardware components of a system rather than only focusing on its software.<\/p>\n

\u201cVulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication,\u201d Cisco Talos\u2018 Laulheret concluded.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Flaws in the firmware that ships with more than 100 models of Dell business laptops compromise the hardware designed to secure passwords and biometric data. Vulnerabilities in the ControlVault3 (CV) firmware in Dell laptops, discovered by security researchers from Cisco Talos, allow attackers with physical access to bypass Windows login on vulnerable laptops or let a local user gain admin privileges. The most serious of… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14573","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14573","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14573"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14573\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}