Cybersecurity researchers have discovered multiple security flaws in Dell’s ControlVault3 firmware and related Windows APIs that may have been abused by attackers, maintain access even after installing a fresh operating system bypassing Windows logins, extracting encryption keys, and deploying malicious implants that are not detected in the firmware.
The vulnerability is known by Cisco Talos as Codename Revort. Over 100 models of Dell laptops running the Broadcom BCM5820X series chip will be affected. There is no evidence that the vulnerability is being exploited in the wild.
Industry that need to increase security when logging in via smart card readers or near field communication (NFC) readers may use ControlVault devices in their settings. ControlVault is a hardware-based security solution that provides a secure way to store passwords, biometric templates and security codes within firmware.
An attacker can maintain the persistence of a compromised system that is presented in a Black Hat USA security conference by escalating privileges after initial access, bypassing authentication controls, and withstanding operating system updates or reinstalls.
Together, these vulnerabilities create a powerful remote post-compromise persistence method for hidden access to high-value environments. The identified vulnerabilities are:
CVE-2025-25050 (CVSS score: 8.8) – An out-of-bounds write vulnerability exists in the cv_upgrade_sensor_firmware functionality that could lead to an out-of-bounds write CVE-2025-25215 (CVSS score: 8.8) – An arbitrary free vulnerability exists in the cv_close functionality that could lead to an arbitrary free CVE-2025-24922 (CVSS score: 8.8) – The SecureBio_Identify feature has a stack-based buffer overflow vulnerability in the SecureBio_Identify feature that can lead to arbitrary code execution (CVSS score: 8.4) – Reads CV_DBLOCKDATA vulnerability. CVE-2025-24919 (CVSS score: 8.1) – CVHDecapsulateCMD functionality that can lead to arbitrary code execution has a need to remove untrusted input vulnerabilities
Cybersecurity companies also point out that local attackers with physical access to their users’ laptops can pry it open and access a unified security hub (USH) board, allowing attackers to exploit any of the five vulnerabilities without logging in or owning a full disk encryption password.
“Revault Attack can be used as a post-conflict persistence technology that can remain for the entire Windows reinstall,” said Philippe Laulheret, a researcher at Cisco Talos. “Revault attacks can also be used as a physical compromise for local users to bypass Windows logins or gain administrative/system privileges.”
To mitigate the risks posed by these defects, users are encouraged to apply the fixes provided by Dell. If you disable the ControlVault service and do not use peripherals such as fingerprint readers, smart card readers, or near field communication (NFC) readers. Turn off fingerprint login in high-risk situations.
Source link
