Planting implants: An investigation by Cisco Talos uncovered two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050) an arbitrary free (CVE-2025-25215) and a stack-overflow flaw (CVE-2025-24922), all affecting the ControlVault firmware.The same researchers also discovered an unsafe deserialization flaw (CVE-2025-24919) affecting ControlVault’s Windows APIs. This vulnerability makes it possible to trigger arbitrary code execution on the ControlVault firmware, allowing the extraction of key material essential to the security of the device and in turn opening the door to modifying its firmware.”This creates the risk of a so-called implant that could stay unnoticed in a laptop’s CV firmware and eventually be used as a pivot back onto the system in the case of a threat actor’s post-compromise strategy,” Philippe Laulheret, senior vulnerability researcher at Cisco Talos, warned.
USH board hardware exploitation: Other risks stem from a potential attack where an attacker with physical access to a vulnerable laptop would pry it open and directly access the USH board over USB with a custom connector. In this scenario, an attacker could hack the device without needing either login credentials or the full-disk encryption password.”While chassis-intrusion can be detected, this is a feature that needs to be enabled beforehand to be effective at warning of a potential tampering,” Cisco Talos researchers noted.In cases where a system is configured so that it is unlocked with a user’s fingerprint, the vulnerabilities could be exploited to tamper with the firmware and allow it to accept any fingerprint rather than only that of a legitimate user, setting up the possibility of Mission Impossible-style hack scenarios.
Mitigation: The first step in mitigating all the flaws is to install the latest version of the ControlVault3 firmware. “CV firmware can be automatically deployed via Windows Update, but new firmware usually gets released on the Dell website a few weeks prior,” Cisco Talos noted.Enterprises that don’t use security peripherals (fingerprint reader, smart card readers, or NFC readers) should consider disabling CV services as a precaution. Disabling fingerprint login when risks are heightened, such as during offsite visits or while traveling, offers another potential mitigation.Cisco Talos concluded that its research offers a stark example of why it’s important to consider the security of hardware components of a system rather than only focusing on its software.”Vulnerabilities in widely-used firmware such as Dell ControlVault can have far-reaching implications, potentially compromising even advanced security features like biometric authentication,” Cisco Talos’ Laulheret concluded.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4035211/revault-flaws-let-attackers-bypass-windows-login-or-place-malware-implants-on-dell-laptops.html
