Multiple Vulnerabilities in Dell ControlVault3 Firmware Enable Persistent Attacks
Summary
Hide ▲
Show ▼
Multiple vulnerabilities in Dell's ControlVault3 firmware and associated Windows APIs, collectively known as ReVault, allow attackers to bypass Windows login, extract cryptographic keys, and maintain access even after OS reinstallation. The flaws affect over 100 Dell laptop models using Broadcom BCM5820X series chips. No exploitation in the wild has been observed. The vulnerabilities were discovered by Philippe Laulheret, a senior vulnerability researcher at Cisco Talos. They can be chained to escalate privileges, bypass authentication, and achieve persistent access. The vulnerabilities include out-of-bounds write, arbitrary free, stack-based buffer overflow, out-of-bounds read, and deserialization of untrusted input issues. The vulnerabilities were disclosed at the Black Hat USA security conference. Affected industries include those using ControlVault for secure login via smart card or NFC readers. Dell and Broadcom have provided fixes, and users are advised to apply them, disable unnecessary ControlVault services, and turn off fingerprint login in high-risk situations.
Timeline
-
09.08.2025 21:55 2 articles · 1mo ago
ReVault vulnerabilities in Dell ControlVault3 firmware disclosed
The vulnerabilities were discovered by Philippe Laulheret, a senior vulnerability researcher at Cisco Talos. The vulnerabilities include memory corruption, code execution, and extraction of secret keys. The vulnerabilities can be exploited to permanently modify the firmware running on the chip and bypass fingerprint authentication. The vulnerabilities are part of a set of five CVEs, with three being chained together to achieve the described exploits. The vulnerabilities were patched through Windows updates, with both Dell and Broadcom responding quickly to the findings.
Show sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
Information Snippets
-
The vulnerabilities affect over 100 Dell laptop models equipped with Broadcom BCM5820X series chips.
First reported: 09.08.2025 21:552 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The flaws can be exploited to bypass Windows login, extract cryptographic keys, and maintain persistence across OS reinstalls.
First reported: 09.08.2025 21:552 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities include out-of-bounds write, arbitrary free, stack-based buffer overflow, out-of-bounds read, and deserialization of untrusted input issues.
First reported: 09.08.2025 21:552 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities can be chained to escalate privileges and bypass authentication controls.
First reported: 09.08.2025 21:552 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities were disclosed at the Black Hat USA security conference.
First reported: 09.08.2025 21:552 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
Affected industries include those using ControlVault for secure login via smart card or NFC readers.
First reported: 09.08.2025 21:551 source, 1 articleShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
-
Dell has provided fixes for the vulnerabilities, and users are advised to apply them.
First reported: 09.08.2025 21:552 sources, 2 articlesShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
Users are also advised to disable unnecessary ControlVault services and turn off fingerprint login in high-risk situations.
First reported: 09.08.2025 21:551 source, 1 articleShow sources
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models — thehackernews.com — 09.08.2025 21:55
-
The vulnerabilities were discovered by Philippe Laulheret, a senior vulnerability researcher at Cisco Talos.
First reported: 22.08.2025 23:211 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities include memory corruption, code execution, and extraction of secret keys.
First reported: 22.08.2025 23:211 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities can be exploited to permanently modify the firmware running on the chip.
First reported: 22.08.2025 23:211 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities can be exploited to bypass fingerprint authentication.
First reported: 22.08.2025 23:211 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities are part of a set of five CVEs, with three being chained together to achieve the described exploits.
First reported: 22.08.2025 23:211 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
-
The vulnerabilities were patched through Windows updates, with both Dell and Broadcom responding quickly to the findings.
First reported: 22.08.2025 23:211 source, 1 articleShow sources
- ReVault Flaw Exposed Millions of Dell Laptops to Malicious Domination — www.darkreading.com — 22.08.2025 23:21
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering
Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.
ShadowLeak: Undetectable Email Theft via AI Agents
A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.
Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched
Fortra has disclosed and patched a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere Managed File Transfer (MFT) software. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. The vulnerability was actively exploited in the wild as early as September 10, 2025, a week before public disclosure. Fortra has released patches in versions 7.8.4 and 7.6.3. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability was discovered during a security check on September 11, 2025. Fortra advised customers to review configurations immediately and remove public access from the Admin Console. The Shadowserver Foundation is monitoring over 470 GoAnywhere MFT instances, but the number of patched instances is unknown. The flaw is highly dependent on systems being externally exposed to the internet. The exploitation sequence involved creating a backdoor account and uploading additional payloads, originating from an IP address flagged for brute-force attacks.