Introduction
In March 2025, security researchers disclosed a set of severe firmware vulnerabilities in Dell’s ControlVault3 security chip—collectively dubbed “ReVault.” ControlVault3 is a secure subsystem used in Dell laptops to store encryption keys, biometric templates and other secrets. The newly discovered flaws, tracked as CVE ‑2025‑25050, CVE ‑2025‑25215, CVE ‑2025‑24922, CVE ‑2025‑24311 and CVE ‑2025‑24919, could allow attackers to bypass Windows logins, extract cryptographic keys and implant persistent malware【71034973596870†L61-L122】.
How the ReVault Attack Works
Researchers found that specific functions in the Dell firmware do not properly validate input or restrict privileged operations. By sending carefully crafted commands to ControlVault3, an attacker with local access can read arbitrary memory from the chip, including hashed login passwords and private keys. Another flaw allows malicious code to be written to the chip, surviving even a full reinstall of the operating system【71034973596870†L61-L122】. Attackers can also leverage the vulnerabilities to bypass virtualization ‑based security features and sign malicious firmware updates using stolen certificates.
Implications and Impact
More than 100 Dell laptop models equipped with Broadcom BCM5820X TPM chips are affected, ranging from consumer Inspiron laptops to enterprise Latitude and Precision notebooks【71034973596870†L61-L122】. Because ControlVault3 handles biometric authentication and key storage, exploitation could let attackers bypass fingerprint or facial logins, decrypt sensitive data, or impersonate the device when signing code or documents. The fact that the bug persists in firmware means the usual remediation—reinstalling Windows—will not remove the backdoor【71034973596870†L61-L122】.
Mitigations and Recommendations
Dell has issued firmware updates for the vulnerable devices and urges all customers to apply them immediately. Organizations should ensure that BIOS and firmware updates are deployed through their normal patch management processes. For systems that cannot be patched, Dell recommends disabling ControlVault3 functionality where feasible until updates are available【71034973596870†L61-L122】. Users should also ensure full disk encryption is enabled and physical access controls are enforced to prevent local attacks.
Conclusion
The ReVault vulnerabilities highlight how weaknesses in embedded firmware can undermine even advanced security measures like biometrics and TPM chips. By keeping firmware up to date, limiting physical access and monitoring systems for unusual behavior, organizations can reduce the risk posed by these flaws until vendors supply permanent fixes.
Sources
[1] Report on Dell ControlVault3 “ReVault” vulnerabilities explaining how attackers can extract hashed passwords, cryptographic keys and maintain persistence across OS reinstalls【71034973596870†L61-L122】.
redsec.ninja 
Leave a comment