Cisco Talos has disclosed five critical vulnerabilities, collectively dubbed “ReVault”, affecting the firmware of Dell’s ControlVault3 and ControlVault3+ hardware security modules, as well as their associated Windows APIs.
When unpatched, these flaws enable both post-compromise persistence and physical bypass of Windows authentication on over 100 Dell Latitude and Precision laptop models.
Attackers can implant malicious firmware that survives OS reinstalls or, with direct physical access to the Unified Security Hub (USH) board, bypass login controls and escalate privileges to SYSTEM level.
Vulnerability Details
- CVE-2025-24311 & CVE-2025-25050 (Out-of-Bounds Access): Crafted ControlVault API calls permit reading or writing outside allocated memory, leaking sensitive key material or corrupting firmware state.
- CVE-2025-25215 (Arbitrary Free): A malformed session can trigger an arbitrary free on the firmware heap, enabling attackers to manipulate memory and gain code execution.
- CVE-2025-24922 (Stack Overflow): A buffer overflow in the firmware’s command-parsing logic allows injection of malicious code to run with firmware privileges. CVE-2025-24919 (Unsafe Deserialization): The Windows API for ControlVault improperly deserializes untrusted data, enabling local non-admin users to execute arbitrary commands via the Credential Vault service.
Impact Analysis
Once attackers achieve non-admin Windows access, they can leverage CVE-2025-24919 to execute code on the USH firmware, extract or replace key material, and embed a backdoor that remains active even after OS reinstalls or disk reimaging.
With physical access, adversaries can open the chassis, connect directly to the USH board via USB, and exploit any of the five CVEs to bypass Windows login, disabling fingerprint or smartcard authentication and gaining SYSTEM-level control without needing credentials.
The vulnerabilities impact a broad range of Dell Latitude and Precision laptops, including Rugged variants, which are widely used across government, industrial, and cybersecurity environments where biometric and smartcard authentication is commonly deployed.
Indicators of Compromise (IoCs)
| Indicator | Description |
| Unexpected Firmware Versions | CV firmware versions prior to 5.15.10.14 (ControlVault3) or 6.2.26.36 (ControlVault3+); check via BIOS or Windows Update. |
| Windows Service Failures | Crashes or unexpected restarts of Windows Biometric Service or Credential Vault Service in Windows logs near ControlVault interactions. |
| Chassis Intrusion Alerts | BIOS-logged chassis intrusion events (available on supported models). |
Mitigation & Remediation
- Apply Firmware Updates Immediately:
Deploy Dell’s ControlVault3 firmware v5.15.10.14 or later and ControlVault3+ firmware v6.2.26.36 or later via Windows Update or Dell’s support site.
- Disable Unused Security Peripherals:
If fingerprint, smartcard, or NFC authentication is not required, disable the Dell ControlVault Service in Services.msc and the device in Device Manager.
- Restrict Physical Access & Enable Chassis Intrusion Detection:
Enforce policies to prevent unauthorized hardware tampering; enable intrusion detection in BIOS where supported.
- Harden Windows Login:
Temporarily disable fingerprint login in high-risk scenarios (e.g., travel); enable Windows Enhanced Sign-in Security (ESS) to detect unauthorized firmware changes.
Detection Recommendations
- Endpoint Monitoring: Configure EDR/AV signatures for anomalous loading of bcmbipdll.dll or abnormal ControlVault API invocation patterns (e.g., oversized payloads). Cisco Secure Endpoint users can apply signature “bcmbipdll.dll Loaded by Abnormal Process.”
- Log Correlation: Alert on sudden spikes in Windows Biometric Service errors or Credential Vault service restarts.
- Firmware Integrity Scans: Incorporate periodic checks of ControlVault firmware cryptographic hashes against known-good values.
Stay Safe. Stay Secure
OP Innovate Research Team
