Dell Laptops Vulnerable to Persistent ReVault Backdoor Attacks
▼ Summary
– Over 100 Dell laptop models, including those used in government and cybersecurity sectors, have firmware vulnerabilities allowing attackers persistent access even after Windows reinstalls.
– The flaws affect ControlVault3 and ControlVault3+ firmware, which store sensitive data like passwords and biometric templates, and include five specific CVEs (e.g., out-of-bounds, stack-overflow).
– Attackers with non-admin access or physical access can exploit these flaws (“ReVault attacks”) to modify firmware, create backdoors, or bypass fingerprint authentication.
– Dell has released firmware updates (v5.15.10.14 for CV3, v6.2.26.36 for CV3+), but large-scale deployment may be challenging, and disabling unused CV services is recommended.
– The vulnerabilities underscore the risk of hardware-level exploits, emphasizing the need to secure all device components, not just software or OS.
Security researchers have uncovered critical firmware vulnerabilities in over 100 Dell laptop models, exposing them to persistent backdoor attacks that survive operating system reinstalls. The flaws, discovered by Cisco Talos, primarily affect ControlVault3 and ControlVault3+, hardware security modules responsible for storing sensitive data like passwords and biometric templates.
The vulnerabilities include multiple high-risk issues:
- Two out-of-bounds write flaws (CVE-2025-24311, CVE-2025-25050)
- An arbitrary memory corruption bug (CVE-2025-25215)
- A stack overflow weakness (CVE-2025-24922)
- An unsafe deserialization flaw (CVE-2025-24919)
Exploiting these flaws enables ReVault attacks, where threat actors with either limited system access or physical control can manipulate firmware to establish permanent backdoors. Attackers could bypass authentication entirely by tampering with fingerprint verification or extracting encryption keys, even without administrative privileges.
Physical access makes the threat more severe, as attackers could connect directly to the Unified Security Hub via USB, altering firmware without needing login credentials. Researchers warn that compromised systems could accept any fingerprint if biometric unlocking is enabled.
Dell has addressed the vulnerabilities in ControlVault3 v5.15.10.14 and ControlVault3+ v6.2.26.36, with patches rolling out since March 2025. However, enterprise environments may struggle with deployment, as firmware updates often lag behind, especially for field-deployed devices.
To mitigate risks, organizations should:
- Apply firmware updates immediately via Windows Update or Dell’s support portal.
- Disable ControlVault services if fingerprint, smart card, or NFC readers are unused.
- Enable Enhanced Sign-in Security (ESS) and chassis intrusion detection in BIOS where available.
- Monitor Windows logs for unexpected crashes in biometric or credential services, which may indicate exploitation.
The findings underscore a broader security challenge: hardware-level components like ControlVault operate as independent computing environments, introducing risks beyond traditional software vulnerabilities. Proactive firmware management and layered defenses are now essential to counter these evolving threats.
For real-time alerts on critical vulnerabilities and breaches, subscribe to our cybersecurity newsletter. Stay informed and protect your systems from emerging risks.
(Source: Help Net Security)
