A critical Dell ControlVault vulnerability has emerged that should send shockwaves through enterprise IT departments worldwide. When security researcher Philippe Laulheret at Cisco Talos discovered what they’re calling “ReVault,” he uncovered something far more sinister than your typical software bug – a firmware-level weakness that can survive Windows reinstalls and create persistent backdoors in business laptops.
The implications are staggering. More than 100 Dell laptop models, primarily from the business-focused Latitude and Precision series, are sitting ducks if left unpatched. These aren’t consumer devices gathering dust in spare bedrooms – they’re the workhorses of cybersecurity companies, government agencies, and ruggedised environments where security matters most.
As Laulheret explains in his research, Talos “reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs.” The scope is massive: “100+ models of Dell Laptops are affected by this vulnerability if left unpatched.”
When hardware becomes the enemy
Dell ControlVault technology was supposed to be a fortress for sensitive data. Marketed as “a hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware,” it operates on a daughter board called the Unified Security Hub (USH). This chip handles everything from fingerprint authentication to smart card readers and NFC functionality.
The current iterations, ControlVault3 and ControlVault3+, “can be found in more than 100 different models of actively-supported Dell laptops” according to Laulheret’s findings, with details available in DSA-2025-053. These models are “widely used in the cybersecurity industry, government settings and challenging environments in their Rugged version.”
But Talos researchers found five critical vulnerabilities in this supposedly secure system, including multiple out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050), an arbitrary free vulnerability (CVE-2025-25215), a stack overflow (CVE-2025-24922), and an unsafe deserialisation flaw (CVE-2025-24919) affecting ControlVault’s Windows APIs.
Laulheret emphasises that “with a lack of common security mitigations and the combination of some of the vulnerabilities mentioned above, the impact of these findings is significant.”
Two attack vectors, maximum damage
The ReVault attack works in two particularly nasty ways:
Post-compromise persistence: As Laulheret describes, “a non-administrative user can interact with the CV firmware using its associated APIs and trigger an Arbitrary Code Execution on the CV firmware.” Once inside, attackers can steal key material and permanently modify firmware, creating what the researcher calls “a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system.” The ReVault attack “can be used as a post-compromise persistence technique that can remain even across Windows reinstalls.”
Physical bypass: More alarmingly, Laulheret explains that “a local attacker with physical access to a user’s laptop can pry it open and directly access the USH board over USB with a custom connector.” From there, “all the vulnerabilities described previously become in-scope for the attacker without requiring the ability to log-in into the system or knowing a full-disk encryption password.” The ReVault attack “can also be used as a physical compromise to bypass Windows Login and/or for any local user to gain Admin/System privileges.”
Even more concerning: “if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint rather than only allowing a legitimate user’s.”
Think about the implications for business travellers leaving laptops in hotel rooms, or the growing trend of hybrid work where devices routinely leave corporate premises.
The broader security landscape concerns
This vulnerability comes at a particularly troubling time for enterprise security. Recent research shows that South African companies are struggling with cybersecurity awareness, with organisations facing AI-enabled attacks whilst being under-resourced and overwhelmed by the threat landscape.
The ReVault findings underscore a fundamental problem: we’ve become so focused on software vulnerabilities that hardware security often gets overlooked until it’s too late. ControlVault devices are precisely the type of “enhanced security” that companies deploy thinking they’re improving their posture, only to discover they’ve inadvertently expanded their attack surface.
What enterprises need to do right now
Dell and Broadcom have released patches, but remediation isn’t straightforward. Here’s what security teams should prioritise:
Immediate actions:
- Check if your Dell laptop models are affected using Dell’s security advisory DSA-2025-053
- Deploy firmware updates immediately – Laulheret notes that “CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior”
- Enable chassis intrusion detection in BIOS settings where available
Strategic considerations:
- If fingerprint readers and smart card functionality aren’t essential, Laulheret recommends that “if not using any of the security peripherals (fingerprint reader, smart card reader and NFC reader) it is possible to disable the CV services (using the Service Manager) and/or the CV device (via the Device Manager)”
- Consider disabling fingerprint login for high-risk scenarios – Laulheret suggests “disabling fingerprint login when risks are heightened (e.g., leaving one’s laptop unattended in a hotel room)”
- Implement Enhanced Sign-in Security (ESS) where supported, which “may help mitigate some of the physical attacks and detect inappropriate CV firmware”
Detection and monitoring:
- Monitor Windows logs for unexpected crashes in Windows Biometric Service or Credential Vault services
- Cisco Secure Endpoint users should watch for the signature “bcmbipdll.dll Loaded by Abnormal Process”
The uncomfortable truth about hardware security
The ReVault vulnerabilities force us to confront an uncomfortable reality: hardware-based security solutions are only as strong as their weakest implementation. Dell’s ControlVault was designed with good intentions, but poor execution turned a security feature into a security liability.
This isn’t just Dell’s problem – it’s indicative of a broader industry challenge. As we rush to implement hardware-based security features to combat sophisticated threats, we’re often creating new attack vectors that are harder to detect and remediate than traditional software vulnerabilities.
The persistence aspect is particularly troubling. In an era where security teams regularly wipe and rebuild compromised systems, firmware-level implants represent a nightmare scenario that many incident response playbooks aren’t equipped to handle.
Looking forward: lessons for the industry
The ReVault discovery should serve as a wake-up call for the entire industry. Hardware security isn’t an afterthought – it needs the same rigorous testing and security review processes we apply to critical software systems.
For enterprises, this means expanding vulnerability management programmes to include firmware components and ensuring that physical security policies account for sophisticated hardware-level attacks. The days of assuming that a Windows reinstall guarantees a clean system are officially over.
Most importantly, security teams need to evaluate every component in their technology stack, not just the obvious targets. Sometimes the biggest threats hide in the places designed to protect us most.
The ReVault vulnerabilities have been responsibly disclosed and patches are available. Enterprise security teams should treat this as a critical priority and update affected systems immediately.