Numerous Dell laptops are at risk of being compromised, allowing unauthorized access and ongoing malware infections.

A wide range of vulnerabilities, collectively known as “ReVault,” affects millions of Dell laptops utilised by government agencies, cybersecurity professionals, and enterprises globally. These vulnerabilities specifically target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware, creating opportunities for attackers to steal passwords and biometric data while maintaining persistent access to compromised systems. More than 100 different models of Dell laptops are impacted, primarily from the business-focused Latitude and Precision series, which are commonly deployed in sensitive environments. These devices are frequently found in cybersecurity firms, government facilities, and rugged deployments where enhanced security features, such as smartcard and NFC authentication, are essential. Dell ControlVault is described as a “hardware-based security solution that provides a secure bank that stores your passwords, biometric templates, and security codes within the firmware.” The system operates on a separate daughter board called a Unified Security Hub (USH), which connects various security peripherals, including fingerprint readers, smart card readers, and NFC devices.

Cisco Talos researchers have identified five critical vulnerabilities in the ControlVault3 and ControlVault3+ systems. These vulnerabilities include CVE-2025-24311, an out-of-bounds read vulnerability that enables information leakage; CVE-2025-25050, an out-of-bounds write flaw allowing code execution; CVE-2025-25215, an arbitrary memory free vulnerability; CVE-2025-24922, a stack-based buffer overflow enabling arbitrary code execution; and CVE-2025-24919, an unsafe deserialization flaw in ControlVault’s Windows APIs. All vulnerabilities received CVSS scores above 8.0, classifying them as “high” severity threats. The combination of these flaws creates particularly dangerous attack scenarios that security experts warn could have far-reaching consequences. The most concerning aspect of the ReVault vulnerabilities is their potential to establish a persistent compromise that remains undetected even after a complete Windows reinstallation. Researchers indicate that a non-administrative user can interact with ControlVault firmware through Windows APIs to trigger arbitrary code execution, allowing attackers to extract cryptographic keys and permanently modify the firmware. This creates the risk of an implant that could remain unnoticed in a laptop’s ControlVault firmware, potentially being used as a pivot back onto the system in a threat actor’s post-compromise strategy. The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level, where traditional antivirus solutions may not detect it.