Millions of Dell Laptops Vulnerable to Device Takeover and Persistent Malware Attacks

News Analysis: Millions of Dell Laptops Vulnerable to Device Takeover and Persistent Malware Attacks

A wide range of critical vulnerabilities, collectively dubbed “ReVault,” affects millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide. The vulnerabilities, identified by Cisco Talos researchers, target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware. These flaws create opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems, even after a complete Windows reinstallation.

The vulnerabilities, which affect more than 100 different models of Dell laptops, are particularly dangerous because the malicious code resides below the operating system level, where traditional antivirus solutions cannot detect or remove it. Dell has responded promptly to the vulnerability disclosure, working with Broadcom to develop and distribute firmware updates beginning in March 2025. The company notified customers of the critical security issues on June 13, 2025, and has been releasing patches through both Windows Update and Dell’s support website. Dell has also emphasized that there is no evidence of active exploitation in the wild.

Key Insights into the ReVault Vulnerabilities

This security incident carries several critical implications:

• Persistent Compromise Below the OS Level: The most concerning aspect of the ReVault vulnerabilities is their potential for establishing a persistent compromise that remains undetected even after a complete Windows reinstallation. According to the researchers, a non-administrative user can interact with ControlVault firmware through Windows APIs to trigger arbitrary code execution, allowing attackers to extract cryptographic keys and permanently modify the firmware. This creates a “so-called implant that could stay unnoticed in a laptop’s ControlVault firmware and eventually be used as a pivot back onto the system.”
• Bypass of Biometric and Hardware Security: The vulnerabilities also enable devastating physical attacks. Researchers demonstrated that an attacker with brief physical access to a laptop can open the chassis and directly access the USH board via USB using a custom connector. This approach bypasses the need for system login credentials or knowledge of full-disk encryption passwords. Researchers even showed how tampered ControlVault firmware could be configured to accept any fingerprint for authentication, including non-human objects like a spring onion, highlighting the complete breakdown of biometric security controls.
• Significant Threat to Critical Infrastructure: The vulnerabilities affect Dell’s business-focused Latitude and Precision series laptops, which are widely deployed in sensitive environments such as government facilities and cybersecurity companies. The Cybersecurity and Infrastructure Security Agency (CISA), which is the operational lead for federal cybersecurity, works with vendors to coordinate the disclosure and remediation of critical vulnerabilities that pose risks to critical infrastructure. The Cyber Resilience Act (CRA) in the EU, which came into force in December 2024, also sets strict cybersecurity standards for hardware and software, and a vulnerability of this nature would be a clear trigger for a formal investigation from the relevant authorities.
• High-Severity Flaws: Cisco Talos researchers identified five distinct vulnerabilities in the ControlVault3 and ControlVault3+ systems, all of which received CVSS scores above 8.0, classifying them as “high” severity threats. The combination of these flaws creates particularly dangerous attack scenarios that security experts warn could have far-reaching consequences, particularly for government agencies and cybersecurity professionals who rely on Dell’s laptops for their security infrastructure.

Critical Mitigation Strategies for Organizations and Authorities

In response to this security threat, immediate and robust mitigation efforts are essential:

• Immediate Firmware Patching: Organizations are strongly urged to apply firmware updates immediately, as the automated deployment through Windows Update may not reach all enterprise environments with restricted update policies. Dell has been releasing firmware updates since March 2025 through its support website and Windows Update.
• Proactive Security Posture Assessment: The Cisco Talos researchers concluded that these findings “highlight the importance of evaluating the security posture of all hardware components within your devices, not just the operating system or software.” Organizations should stay vigilant, patch their systems, and proactively assess risk to safeguard their systems against evolving threats.
• Disable Unused Features: If an organization is not using any of the security peripherals (fingerprint reader, smart card reader, and NFC reader), it is possible to disable the ControlVault services and/or the ControlVault device via the Service Manager or the Device Manager.
• Enhanced Security and Threat Detection: Organizations should implement behavioral monitoring for techniques such as PowerShell abuse, credential theft, and stealthy data exfiltration. They should also implement enhanced monitoring of their systems to detect and respond to any unusual activity that could indicate further exploitation of the leaked data.