ReVault Flaws Expose Dell Laptops to Windows Login Bypass
▼ Summary
– ControlVault3 firmware vulnerabilities (ReVault) in over 100 Dell laptop models allow attackers to bypass Windows login and install persistent malware.
– The flaws affect Dell’s business-focused Latitude and Precision laptops, which are widely used in high-security environments like government and industrial sectors.
– Five specific vulnerabilities (CVE-2025-24311, CVE-2025-25050, CVE-2025-25215, CVE-2025-24922, CVE-2025-24919) impact ControlVault3 firmware and Windows APIs.
– Attackers with physical access can exploit these flaws to bypass login, escalate privileges, or manipulate fingerprint authentication without needing system credentials.
– Dell has released patches, and mitigation steps include updating systems, disabling unused security peripherals, and enabling chassis intrusion detection.
Security researchers have uncovered critical vulnerabilities in Dell’s ControlVault3 firmware that could let attackers bypass Windows authentication and plant persistent malware on affected devices. These flaws impact over 100 business-focused Latitude and Precision laptop models commonly used in government agencies, industrial settings, and cybersecurity operations.
The vulnerabilities, collectively named ReVault by Cisco’s Talos team, exist in both the firmware and Windows APIs of Dell’s hardware-based security module. ControlVault3 stores sensitive authentication data, including passwords, biometric information, and security tokens, on a dedicated chip known as the Unified Security Hub (USH).
Five distinct flaws have been identified:
- Out-of-bounds read/write issues (CVE-2025-24311, CVE-2025-25050)
- Arbitrary memory corruption (CVE-2025-25215)
- Stack overflow vulnerability (CVE-2025-24922)
- Unsafe deserialization flaw (CVE-2025-24919)
When exploited in combination, these weaknesses allow attackers to execute arbitrary code on the firmware itself. This means malware could persist even after a complete Windows reinstallation. Worse still, physical access to the device could enable attackers to bypass login screens entirely or escalate privileges to administrator level without needing credentials.
According to researchers, an intruder could open the laptop, connect directly to the USH board using a custom USB adapter, and manipulate the firmware without ever logging into Windows. This method bypasses full-disk encryption and could even force fingerprint readers to accept unauthorized scans.
Dell has rolled out patches between March and May to address these vulnerabilities. Users are urged to update their systems immediately through Windows Update or Dell’s official support site. Additional precautions include:
- Disabling unused authentication peripherals (fingerprint readers, smart cards, NFC)
- Enabling chassis intrusion detection in BIOS to detect tampering
- Activating Enhanced Sign-in Security (ESS) in Windows to monitor firmware integrity
For organizations handling sensitive data, disabling biometric authentication in high-risk scenarios may further reduce exposure. The full list of affected models is detailed in Dell’s security advisory, which administrators should review to ensure compliance and protection.
(Source: Bleeping Computer)
