Five vulnerabilities in the ControlVault3 firmware and the associated Windows APIs expose millions of Dell laptops to persistent implants and Windows login bypasses via physical access, Cisco Talos reports.
The issues, tracked as CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, and CVE-2025-24919, were initially disclosed on June 13, when Dell announced that patches for them were rolled out for over 100 Dell Pro, Latitude, and Precision models. The affected component, ControlVault3 (and the ControlVault3+ iteration), is a hardware-based system meant to securely store passwords, biometric information, and security codes. CVE-2025-24311 and CVE-2025-25050 are out-of-bounds issues that could be triggered via specially crafted ControlVault API calls to leak information or write outside the allocated memory, while CVE-2025-25215 leads to an arbitrary free via a crafted call and can be triggered via a forged session. CVE-2025-24922 and CVE-2025-24919, a stack-based buffer overflow bug and a deserialization of untrusted input vulnerability, can lead to arbitrary code execution.
According to Talos, an attacker that does not have administrative privileges could interact with ControlVault via the associated API and execute arbitrary code on the firmware, leaking sensitive information affecting the security of the device, which could allow them to modify the firmware. “This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a threat actor’s post-compromise strategy,” Talos, which named the flaws ReVault, says. The security firm also notes that an attacker with physical access to the device could pry it open and access the USH board, allowing the attacker to exploit any of the five vulnerabilities without having to log in or know a full-disk encryption password. “Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint rather than only allowing a legitimate user’s,” Talos notes. According to Talos, the vulnerabilities could pose a serious threat to organizations in cybersecurity, government, and other sensitive industries, where strict login requirements increase the likelihood of ControlVault being used. Dell’s June advisory lists all the affected models and vulnerable firmware versions, as well as the dates when patches were released for them.