Dell laptops are at risk: This major security flaw lets hackers bypass Windows login and steal sensitive data; here's what you should do

Dell Laptops

Cybersecurity researchers at Cisco Talos have unveiled a critical set of vulnerabilities, collectively called ReVault, affecting Dell’s ControlVault3 and ControlVault3+ firmware and their associated Windows APIs. These flaws can allow attackers to bypass the Windows logon screen, hijack system privileges, and maintain persistent access—even surviving operating system reinstallations. ControlVault is a hardware-based security module that securely stores passwords, biometric templates, and security codes on a dedicated daughter board, the Unified Security Hub (USH), widely found in Dell Latitude, Precision, and Rugged laptops used in enterprise and government environments.   

Which Dell laptops that are reportedly at risk

The affected devices use Dell’s ControlVault3 or ControlVault3+ modules, both powered by the Broadcom Secure Controller chip. This chip connects to and manages security peripherals such as a fingerprint reader, smart card reader, and NFC reader. According to Dell’s advisory (DSA-2025-053), more than 100 actively supported laptop models are impacted, including:

• Latitude 5440, 5450, 5500, 5511, 5520, 5521, 5530, 5531, 5540, 5550
• Latitude 7030 Rugged Extreme, 7200 2-in-1, 7210 2-in-1, 7220 Rugged Extreme, 7230 Rugged Extreme
• Latitude 7300, 7310, 7320, 7320 Detachable, 7330, 7330 Rugged Laptop, 7340, 7350, 7350 Detachable
• Latitude 7400, 7400 2-in-1, 7410, 7420, 7430, 7440, 7450, 7520, 7530, 7640, 7650, 9330, 9410, 9420, 9430, 9440 2-in-1, 9450, 9510 2-in-1, 9520, and Latitude Rugged 7220EX  .
• Precision series: 3470, 3480, 3490, 3540, 3541, 3550, 3551, 3560, 3561, 3570, 3571, 3580, 3581, 3590, 3591, 5470, 5480, 5490, 5680, 5690, 7540, 7550, 7560, 7670  .

If your Dell laptop is one of these models—or another business-centric Latitude/Precision series—it may be vulnerable unless updated.

The attack scenarios

Cisco Talos disclosed five key vulnerabilities: multiple out-of-bounds flaws (CVE-2025-24311, CVE-2025-25050), an arbitrary free issue (CVE-2025-25215), a stack overflow (CVE-2025-24922), and unsafe deserialization in ControlVault’s Windows APIs (CVE-2025-24919). These flaws can be chained to execute arbitrary code within the firmware, leak secure data, implant malicious firmware, and bypass login protections.   

Post-compromise persistence – A non-administrative Windows user could exploit the APIs to inject code into the ControlVault firmware, potentially stashing a persistent implant that survives OS reinstallation and allows later re-entry.  

Physical compromise – An attacker with physical access can open the laptop, plug into the USH board via USB, and exploit the vulnerabilities to bypass authentication entirely—no admin rights, credentials, or disk encryption needed. Rogue firmware may even accept any fingerprint.  

What users can do

Cisco Talos and Dell recommend these steps to reduce risk:

Update firmware immediately

• For ControlVault3: ensure version is 5.15.10.14 or later.
• For ControlVault3+: upgrade to version 6.2.26.36 or later.
• Updates are available via Windows Update and often earlier on Dell’s support website.   

Disable unused security peripherals

If not usinga fingerprint reader, smart card, or NFC: disable ControlVault services in the Windows Service Manager or deactivate the device in Device Manager.

Limit biometric use in risky environments

When travelling or away from your device, disable fingerprint login and use a strong password/PIN with Windows Enhanced Sign-In Security (ESS).

Enable chassis intrusion detection

Turn this feature on in BIOS, if available. It alerts you to physical tampering and may require a password to proceed.

Monitor for unusual behaviours

Watch Windows logs for crashes in biometric or credential vault services. Cisco Secure Endpoint alerts under the signature “bcmbipdll.dll Loaded by Abnormal Process” may also signal compromise.