ReVault

Summary

ReVault is the codename for a set of five critical vulnerabilities in Dell's ControlVault3 security subsystem, discovered by Cisco Talos and publicly disclosed in late June 2025. The flaws allow attackers to bypass Windows authentication, escalate privileges, and install persistent malware in firmware that can survive OS reinstalls and drive replacements. Affected systems include many Dell Latitude, Precision, and Rugged models. Patches are available via Dell's advisory DSA-2025-053.

Background

• Discovery: Late 2024 – early 2025 by Cisco Talos during firmware security research.
• Vendor Notification: January 2025 (coordinated disclosure to Dell; Broadcom engaged).
• Patch Development: February – March 2025.
• Patch Release: March – May 2025 across affected models.
• Public Disclosure: Late June 2025 with technical details and CVEs.

ControlVault3 is designed to protect sensitive authentication material (fingerprints, smartcard data, keys) by isolating storage and processing from the host OS. The ReVault vulnerabilities break this isolation boundary.

Impact

• Log in without valid credentials by abusing ControlVault3 verification, bypassing authentication.
• Privilege escalation from user to SYSTEM via vulnerable APIs.
• Firmware persistence as backdoors are implanted that survive OS reinstallations and disk swaps.
• Potential access and exposure of biometric data, stored passwords, and crypto keys.
• With device access, attackers can interface with the Unified Security Hub (USH) board to bypass protections, exploiting at the physical level.

What's ControlVault3?

ControlVault3 is Dell's third-generation embedded hardware security module present in many business-class laptops. It:

• Stores and processes biometric and credential data in an isolated environment.
• Integrates with fingerprint readers, smartcards, and FIDO authentication.
• Works with Windows Hello and enterprise auth frameworks.
• Is intended to reduce exposure to OS-level attacks by creating a trust boundary.

ReVault exploits flaws in both the firmware and its Windows API layer to break that trust boundary.

Implications

• Limited visibility, as traditional EDR/AV is often unable to inspect code running inside firmware/secure modules.
• Reliance on third-party silicon/firmware (Broadcom) introduces systemic risk through supply chain exposure.
• Device integrity must be continuously attested, not implicitly trusted by network location.
• Short hands-on access can be enough to compromise a device.
• Firmware-level attacks may leave minimal host-OS artifacts, complicating forensics, incident response, and reporting.

Mitigation

Immediate (0–7 days)

• Inventory Dell endpoints with ControlVault3; cross-check against Dell advisory DSA-2025-053.
• Apply ControlVault3 updates:
  • Standard: firmware/driver version 5.15.10.14 or newer.
  • Plus: firmware/driver version 6.2.26.36 or newer.
• Temporarily disable fingerprint login on unpatched systems.
• Reinforce physical security for high-value endpoints.

Short-Term (1–4 weeks)

• Validate update success (Dell Command | Update logs or manual checks).
• Monitor for anomalies in authentication (e.g., Windows Event IDs 4624/4625) and unusual ControlVault API activity.
• User communications: avoid leaving devices unattended; lock screens; secure transport.

Medium-Term (1–3 months)

• Create a "known good" firmware baseline post-patch for integrity attestation.
• Disable or restrict debug/diagnostic ports in BIOS; enforce device control via EDR.
• Add firmware checks to monthly maintenance with SLA targets.

Long-Term (3–6+ months)

• Integrate firmware attestation into Zero Trust device compliance.
• Run tabletop/red-team exercises simulating firmware compromise.
• Track Dell security advisories and update regularly.

Timeline

Key Takeaways

• Perimeter defenses are not sufficient; attackers target trust below the OS.
• Zero Trust requires continuous verification of device integrity, identity, and behavior.
• Patch promptly; monitor aggressively for at least 90 days post-disclosure.

References

• Dell Security Advisory: DSA-2025-053
• Cisco Talos Blog: ReVault — When Your SoC Turns Against You
• BleepingComputer: ReVault flaws let hackers bypass Windows login
• ITPro: Millions of Dell laptops impacted

Identification Tool

Use this checklist to determine if a system is affected and up to date:

1. Identify device model: Settings → System → About. Note Dell model (Latitude/Precision/Rugged).
2. Check ControlVault3: Device Manager → System devices → look for "Dell ControlVault" / "ControlVault3".
3. Verify version: Right-click → Properties → Driver tab. Compare against fixed versions in DSA-2025-053:
   • Standard: ≥ 5.15.10.14
   • Plus: ≥ 6.2.26.36
4. Update if needed: Run SupportAssist or Dell Command | Update.
5. Reboot and re-check: Confirm versions after update; if still behind, download the package from the system's Dell Support page.

PowerShell Check Script

Helpdesk one-liner to check ControlVault3 version and patch status:

Get-PnpDevice -Class System | Where-Object { $_.FriendlyName -match "ControlVault" } |
ForEach-Object {
    $dev = $_
    $ver = (Get-PnpDeviceProperty -InstanceId $dev.InstanceId -KeyName 'DEVPKEY_Device_DriverVersion').Data
    Write-Host "Device: $($dev.FriendlyName)"
    Write-Host "Driver Version: $ver"
    if ($dev.FriendlyName -match "Plus") {
        if ([version]$ver -ge [version]"6.2.26.36") {
            Write-Host "Status: OK (Patched)" -ForegroundColor Green
        } else {
            Write-Host "Status: Update Needed (Plus version)" -ForegroundColor Red
        }
    } else {
        if ([version]$ver -ge [version]"5.15.10.14") {
            Write-Host "Status: OK (Patched)" -ForegroundColor Green
        } else {
            Write-Host "Status: Update Needed (Standard version)" -ForegroundColor Red
        }
    }
}