Multiple vulnerabilities in Dell ControlVault3 firmware allow persistent access
Summary
Hide β²
Show βΌ
Cybersecurity researchers have identified multiple vulnerabilities in Dell's ControlVault3 firmware and associated Windows APIs. These flaws, collectively named ReVault, can enable attackers to bypass Windows login, extract cryptographic keys, and maintain persistent access even after OS reinstallation. Over 100 Dell laptop models using Broadcom BCM5820X series chips are affected. No evidence of exploitation in the wild has been reported. The vulnerabilities allow attackers to escalate privileges, bypass authentication, and deploy undetectable malicious implants. The affected systems are commonly used in industries requiring heightened security, such as those using smart card or NFC readers. The identified vulnerabilities include out-of-bounds write, arbitrary free, stack-based buffer overflow, out-of-bounds read, and deserialization of untrusted input flaws. Dell has provided patches to mitigate these risks, and users are advised to apply them and disable unnecessary ControlVault services. The vulnerabilities were discovered by Philippe Laulheret, a senior vulnerability researcher at Cisco Talos, and were presented at the Black Hat USA 2025 security conference. The vulnerabilities involve undocumented APIs that allow users to communicate with the Control Vault board, leading to memory corruption, code execution, extraction of secret keys, and permanent firmware modification.
Timeline
-
09.08.2025 21:55 π° 2 articles Β· β± 1mo ago
Multiple vulnerabilities in Dell ControlVault3 firmware disclosed
The vulnerabilities were discovered by Philippe Laulheret, a senior vulnerability researcher at Cisco Talos. The vulnerabilities involve undocumented APIs that allow users to communicate with the Control Vault board, leading to memory corruption, code execution, extraction of secret keys, and permanent firmware modification. The vulnerabilities were presented at the Black Hat USA 2025 security conference. The vulnerabilities have been patched through Windows updates, with both Dell and Broadcom responding quickly to the findings.
Show sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
Information Snippets
-
The vulnerabilities in Dell's ControlVault3 firmware and associated Windows APIs can be chained to escalate privileges, bypass authentication, and maintain persistence.
First reported: 09.08.2025 21:55π° 2 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
Over 100 Dell laptop models using Broadcom BCM5820X series chips are affected by the ReVault vulnerabilities.
First reported: 09.08.2025 21:55π° 2 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities allow attackers to bypass Windows login, extract cryptographic keys, and deploy undetectable malicious implants.
First reported: 09.08.2025 21:55π° 2 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
No evidence of exploitation in the wild has been reported.
First reported: 09.08.2025 21:55π° 2 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities were presented at the Black Hat USA security conference.
First reported: 09.08.2025 21:55π° 1 source, 1 articleShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
-
Dell has provided patches to mitigate the risks posed by these flaws.
First reported: 09.08.2025 21:55π° 2 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models β thehackernews.com β 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities were discovered by Philippe Laulheret, a senior vulnerability researcher at Cisco Talos.
First reported: 22.08.2025 23:21π° 1 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities involve undocumented APIs that allow users to communicate with the Control Vault board.
First reported: 22.08.2025 23:21π° 1 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities include memory corruption, code execution, extraction of secret keys, and permanent firmware modification.
First reported: 22.08.2025 23:21π° 1 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities were presented at the Black Hat USA 2025 security conference.
First reported: 22.08.2025 23:21π° 1 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities have been patched through Windows updates, with both Dell and Broadcom responding quickly to the findings.
First reported: 22.08.2025 23:21π° 1 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
-
The vulnerabilities highlight the security risks posed by undocumented firmware in embedded components.
First reported: 22.08.2025 23:21π° 1 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination β www.darkreading.com β 22.08.2025 23:21
Similar Happenings
Phoenix Rowhammer attack bypasses DDR5 Rowhammer defenses
A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.
Fourth Spyware Campaign Targeting French Apple Users in 2025
Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.
Microsoft September 2025 Patch Tuesday fixes 81 vulnerabilities, including two zero-days
Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.
Critical SessionReaper flaw in Adobe Commerce and Magento Open Source patched
Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. The flaw could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The vulnerability was disclosed to selected customers on September 4, 2025, with a patch released on September 9, 2025. Adobe Commerce on Cloud users were protected by a WAF rule until the patch was available. The flaw is considered one of the most severe in the history of the platform, potentially leading to session forging, privilege escalation, and code execution. No exploitation in the wild has been reported, but a hotfix was leaked, which could accelerate exploitation attempts. The vulnerability impacts various versions of Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Custom Attributes Serializable module. Adobe has also patched a critical path traversal vulnerability in ColdFusion (CVE-2025-54261).