Dell ControlVault: Critical gaps make security component a risk
The "ReVault" vulnerability collection makes numerous Dell laptop models vulnerable. The updates should be installed now at the latest.
(Image: dokmai/Shutterstock.com)
Researchers from Cisco Talos have discovered several vulnerabilities in the hardware-based security solution ControlVault. The additional chip is intended to serve as a secure storage location for passwords, biometric access information, and security codes, for example, and is found in more than 100 Dell laptop models.
Attackers could manipulate the ControlVault firmware via the vulnerabilities named "ReVault". In this way, authentication mechanisms can be bypassed, and the affected systems can ultimately be completely taken over.
Dell classifies the threat as critical and already provided protective firmware updates in June 2025 – heise security published an alert back then. Owners of potentially affected devices should take a look at Dell's advisory now at the latest and ensure that the ControlVault firmware is up to date.
In the security advisory, the manufacturer names vulnerable models and links to updated firmware and drivers:
Primarily affected are various Dell Pro models as well as devices from the Latitude and Precision model series. Depending on the model, Dell's ControlVault3 versions from 5.15.10.14 or the ControlVault3 Plus versions from 6.2.26.36 close the gaps.
ReVault: Researchers explain attack details
So far, Dell itself has only published a few details about the vulnerabilities (CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, CVE-2025-24919). Three of them are based on specially crafted calls to the ControlVault Windows API, which could be misused for "read and write access outside intended memory limits" and for "unplanned release of resources". The others can be used to execute malicious code via buffer overflow on the stack and specially crafted commands.
In a blog entry on "ReVault", the Cisco Talos team has now broken down two examples of attacks and their possible effects. The manipulation of vulnerable firmware versions is therefore possible via the API on the one hand, but also via physical access on the other.
(Image:Â Cisco Talos )
In the first case, a logged-in user without admin rights can trigger the execution of malicious code in the firmware context via an API call (arbitrary code execution). In this way, in addition to compromising the Windows system, it is also possible to permanently modify the firmware. This would allow the attacker to repeatedly gain undetected system access.
Physical access takes place – after opening the laptop housing – via the USB access of the USHs board (Unified Security Hub), on which the ControlVault chip is located. The researchers explain that a ReVault attack carried out in this way does not require any knowledge of access information. In a video in the blog entry, they demonstrate that the fingerprint scanner can be manipulated via firmware manipulation so that it accepts any print in the future.
No evidence of active exploits
When asked by The Register, both Dell and Cisco Talos denied having observed ReVault exploits in the wild so far.
However, if you want to be on the safe side, for example in a business environment, you should take a look at the videos with demo exploits and the "Remediation" section in the ReVault blog entry in addition to updating. In the latter, the researchers provide additional tips, such as how to deactivate certain ControlVault functions in favor of higher security and how to detect compromises that have already occurred. They will also be presenting their findings in a talk at this year's Black Hat security conference.
(ovw)
