SUMMARY

SL-CSIRT wishes to inform stakeholders of multiple critical vulnerabilities (collectively dubbed “ReVault”) affecting millions of Dell laptops widely used in government, enterprise, and cybersecurity environments. The vulnerabilities exist in the ControlVault3 and ControlVault3+ security chips (Broadcom BCM5820X), which are embedded in Dell business-class devices such as Latitude and Precision models. Successful exploitation may allow stealthy, persistent malware implants, biometric bypass, and unauthorized access to cryptographic secrets, even surviving full operating system reinstallation.

AFFECTED PRODUCTS

• Dell Latitude series (5000, 7000, 9000 models, including rugged devices)
• Dell Precision mobile workstations
• Any Dell systems running:
o ControlVault3 firmware prior to v5.15.10.14
o ControlVault3+ firmware prior to v6.2.26.36

VULNERABILITY DETAILS

CVE ID                                              Description                                                                  CVSS Score         Impact

CVE-2025-24311      Out-of-bounds read in firmware leads to information leakage   8.4                Data exposure

CVE-2025-25050     Out-of-bounds write enables arbitrary code execution                8.8                System takeover

CVE-2025-25215      Use-after-free flaw allowing memory corruption                           8.6            Instability / code exec

CVE-2025-24922     Stack-based buffer overflow leading to full code execution          9.1          Remote or local execution

CVE-2025-24919      Unsafe deserialization via Windows APIs                                        8.5                 Code injection

Cisco Talos identified five high-severity vulnerabilities in ControlVault3 firmware and its Windows API interface:
These flaws allow local or physical attackers to execute arbitrary code in the firmware, extract credentials, and establish firmware-level persistence beyond OS-level detection.

ATTACK SCENARIOS

1. Post-compromise exploit – A non-admin user on a vulnerable laptop can use the flaws to install persistent malware inside the ControlVault firmware.
2. Physical access attack – An attacker with brief physical access can use a custom USB connector to tamper with the Unified Security Hub and bypass fingerprint authentication, even using fake or inanimate objects.

IMPACT

• Full compromise of system integrity
• Biometric authentication bypass (e.g., spoofed fingerprints)
• Credential and key theft
• Persistence beyond OS reinstallations
• Undetectable by traditional antivirus tools

MITIGATION & RECOMMENDATION

1. Immediate Firmware Update:
o Update ControlVault3 to v5.15.10.14 or later
o Update ControlVault3+ to v6.2.26.36 or later
o Updates are available via:
▪Dell Support Website

▪Windows Update (for supported environments)

2. Disable Unused Features:
o Turn off fingerprint/NFC/smartcard authentication if not required
o Disable ControlVault device via Device Manager where possible

3. Enable Physical Security Protections:
o Use chassis intrusion detection features in BIOS
o Monitor access to USB and internal components

4. Watch for Suspicious Activity:
o Monitor for unexpected DLL loads or Biometric Service crashes
o Look for signs of firmware manipulation or bypassed login attempts

REFERENCES

• Dell Security Advisory
• Cisco Talos Research
• CVE Details
• Cybersecurity News 
• Bleepingcomputer
• SL-CSIRT