Five firmware vulnerabilities dubbed "ReVault" affecting over 100 Dell laptop models allow attackers to bypass Windows login and install persistent malware that survives system reinstalls.
What happened
Cisco's Talos security division discovered five vulnerabilities in Dell's ControlVault3 firmware affecting both the Latitude and Precision laptop series. ControlVault is a hardware-based security solution that stores passwords, biometric data, and security codes within firmware on a dedicated daughterboard called the Unified Security Hub (USH). The vulnerabilities include out-of-bounds flaws (CVE-2025-24311, CVE-2025-25050), an arbitrary free vulnerability (CVE-2025-25215), a stack overflow (CVE-2025-24922), and an unsafe deserialization issue (CVE-2025-24919) affecting ControlVault's Windows APIs. Dell released security updates between March and May to address these flaws in the ControlVault3 driver and firmware.
Going deeper
Attackers can chain these vulnerabilities to gain arbitrary code execution on the firmware, creating persistent implants that survive Windows reinstalls. With physical access, attackers can bypass Windows login or escalate local user privileges to the administrator level. The attack requires physical access to the laptop, where attackers can access the USH board over USB with a custom connector, making all vulnerabilities exploitable without needing login credentials or full-disk encryption passwords. Successful exploitation enables attackers to manipulate fingerprint authentication, forcing devices to accept any fingerprint rather than only legitimate users' prints.
What was said
"A local attacker with physical access to a user's laptop can pry it open and directly access the USH board over USB with a custom connector," Cisco Talos said. "From there, all the vulnerabilities described previously become in-scope for the attacker without requiring the ability to log in to the system or knowing a full-disk encryption password."
Why it matters
These vulnerabilities specifically impact Dell's business-focused laptop lines that are widely deployed in cybersecurity, government, and industrial environments where authentication is critical. Unlike typical software vulnerabilities that can be mitigated through standard security measures, these firmware-level flaws create persistent threats that survive complete system reinstalls, making them dangerous for organizations handling sensitive data. The ability to bypass biometric authentication systems undermines a security layer that many enterprises rely on for access control, potentially compromising secure facilities and sensitive information systems that these laptops access.
The bottom line
Organizations using affected Dell Latitude and Precision laptops should immediately apply available security updates through Windows Update or Dell's website. In high-risk environments, consider disabling fingerprint authentication and unused security peripherals while enabling chassis intrusion detection and Enhanced Sign-in Security to detect potential tampering attempts.
FAQs
Do these vulnerabilities affect Dell consumer laptop models like Inspiron or XPS?
No, the flaws are only confirmed in the Latitude and Precision business models.
Can the attack be carried out remotely over the internet?
No, physical access to the laptop is required to exploit these flaws.
Does encryption software like BitLocker protect against this attack?
No, attackers can bypass encryption because exploitation happens at the firmware level.
How can users check if their Dell laptop model is affected?
Dell has published advisories listing the specific vulnerable models.
Does disabling fingerprint authentication completely stop the risk?
No, attackers can still exploit firmware flaws even if biometrics are turned off.
