ReVault Flaws Expose Dell Laptops to Persistent Firmware Attacks, Bypassing Windows Security

A chain of five critical vulnerabilities in Dell's hardware-based security subsystem—dubbed ReVault—allows attackers to bypass Windows login screens, escalate privileges, and implant persistent malware that survives operating system reinstalls. Discovered by Cisco Talos, these flaws affect ControlVault3, a dedicated security chipset managing biometric data, encryption keys, and authentication credentials in over 100 Dell Latitude and Precision laptop models widely used in government, industrial, and cybersecurity sectors.

The Anatomy of ControlVault3

Dell's ControlVault operates as a Unified Security Hub (USH)—a physically isolated daughterboard designed to handle sensitive operations like fingerprint validation, smartcard authentication, and full-disk encryption. This hardware-based approach theoretically creates a secure enclave separate from the main OS. However, Talos uncovered critical weaknesses in both its firmware and Windows communication interfaces:

• CVE-2025-24311 & CVE-2025-25050: Out-of-bounds write flaws enabling memory corruption
• CVE-2025-25215: Arbitrary memory deallocation vulnerability
• CVE-2025-24922: Stack overflow allowing code execution
• CVE-2025-24919: Unsafe deserialization in Windows APIs

Attack Vectors: From Physical Access to Persistent Dominance

Exploiting these flaws requires physical access but yields devastating results:

1. Windows Login Bypass: Attackers connect directly to the USH board via a custom USB connector (requiring brief physical disassembly) to manipulate authentication routines, granting access without passwords or biometric checks.
2. Firmware Persistence: Malicious payloads implanted in ControlVault survive Windows reinstalls, disk replacements, and even BIOS updates—creating undetectable backdoors.
3. Biometric Sabotage: Fingerprint validation can be forced to accept any input, nullifying biometric security.
4. Privilege Escalation: Local users can gain SYSTEM-level privileges by exploiting API deserialization flaws.

"A local attacker can access the USH board over USB without logging into the system or knowing the encryption password. This makes firmware-level persistence a severe threat," warned Cisco Talos researchers.

Mitigation and Broader Implications

Dell released patches between March-May 2025 for affected firmware and drivers (available via Windows Update or Dell's advisory). However, Talos recommends additional measures:
- Disable unused security peripherals (fingerprint/NFC/smartcard readers)
- Enable chassis intrusion detection in BIOS
- Activate Windows Enhanced Sign-in Security (ESS) to monitor firmware integrity

This incident highlights the escalating risks in hardware-rooted security systems. As enterprises increasingly rely on biometrics and hardware enclaves for protection, vulnerabilities at this layer undermine foundational trust. The ReVault flaws exemplify how sophisticated attackers are shifting focus toward firmware—where malware becomes nearly impossible to eradicate and compromises persist beyond traditional remediation efforts.

Source: BleepingComputer and Dell Security Advisory