Key Takeaways:
- Cisco Talos uncovered five vulnerabilities, called ReVault, in Dell’s ControlVault3 firmware used across Latitude, Precision, and Pro laptops.
- Exploits allow attackers to bypass login authentication, escalate privileges, and persist malware implants even after OS reinstall.
- One flaw enables physical attackers to override fingerprint readers using tampered hardware access.
- Dell issued firmware updates in March–May 2025; unpatched systems remain vulnerable.
- Enterprises are urged to patch immediately or disable ControlVault if unused.
More than 100 Dell laptop models are at risk of low-level compromise due to a set of firmware vulnerabilities in the ControlVault3 security chip, according to new research from Cisco Talos. The flaws, collectively named ReVault, allow attackers to implant persistent malware, bypass login protections, and potentially steal authentication data—all without triggering antivirus or system-level alerts.
The affected component, ControlVault3, is designed to secure sensitive user credentials and biometric data. However, researchers discovered that five separate vulnerabilities—CVE-2025-24311, CVE-2025-25050, CVE-2025-25215, CVE-2025-24922, and CVE-2025-24919—can be chained to execute arbitrary code at the firmware level.
Once exploited, attackers can install implants that survive reboots and operating system reinstalls. These implants reside within the firmware itself, making traditional software-based detection and cleanup tools ineffective. The risk is particularly acute in enterprise and government environments where Dell laptops with ControlVault3 chips are widely deployed.
Two of the flaws involve out-of-bounds memory writes. Another permits an arbitrary memory free operation, while one is a stack buffer overflow. The fifth flaw involves unsafe deserialization in the Windows API used to communicate with ControlVault, allowing attackers to craft malicious requests that reach the firmware directly.
Attackers can exploit these flaws either through prior software compromise or, more concerningly, via physical access. In a proof-of-concept demonstration, researchers showed how an attacker could dismantle the laptop and connect a customized USB cable to the Unified Security Hub (USH) board. From there, they could overwrite firmware and spoof fingerprint data—bypassing full disk encryption and Windows login protections.
The flaws affect multiple Dell models, including:
- Latitude 5000, 7000, and 9000 series
- Precision workstations
- Select XPS and Vostro Pro models
Dell released firmware patches between March and May 2025 to address the vulnerabilities. Many systems will have received the updates automatically via Windows Update. Users and administrators should confirm their systems are running ControlVault3 firmware version 5.15.10.14 or 6.2.26.36 or later.
For organizations that do not actively use ControlVault’s biometric or smart card features, Cisco Talos recommends disabling the component entirely via Device Manager or BIOS. Additional safeguards such as enabling chassis intrusion detection and Windows Enhanced Sign-In Security (ESS) are also advised—especially for systems exposed to higher physical access risk.
These findings underline the growing security concerns around embedded firmware in endpoint devices. Firmware-level attacks remain difficult to detect and remediate, and tools like ControlVault—which were originally intended to enhance security—can become a liability if flaws remain unpatched.
Enterprises are encouraged to treat firmware with the same rigor as operating systems and applications, ensuring that hardware-level components are included in regular vulnerability management and configuration audits. As attack techniques evolve, maintaining visibility into embedded device layers is becoming essential for zero-trust security strategies.





