Firmware Flaws Expose Dell Laptops to Undetectable Hijacking
Critical vulnerabilities have been discovered in the Broadcom ControlVault microchip, a component responsible for storing sensitive data on over a hundred models of Dell laptops. According to Cisco Talos, this cluster of vulnerabilities allows attackers to access the secure data enclave, inject malicious code, and remain undetected—even by security mechanisms operating at the OS level.
ControlVault is an isolated system-on-chip (SoC) designed to safeguard biometric templates, passwords, and authentication keys. It serves as a trusted enclave for environments demanding elevated security, ranging from enterprise infrastructures to governmental and defense applications. Particularly at risk are the Dell Latitude and Precision series, including ruggedized models engineered for extreme operational conditions.
At the heart of the issue lies CVE-2025-24919, a vulnerability that enables remote access to the ControlVault without requiring administrative privileges, using standard Windows utilities. In effect, this transforms an isolated enclave into an exposed surface, undermining one of the system’s most critical layers of defense.
In addition to this flaw, four other vulnerabilities have been identified, compounding the overall impact. CVE-2025-24311 allows sensitive data to be exfiltrated from the enclave. CVE-2025-25050 permits unauthorized writing of data into the secure area. CVE-2025-24922 enables arbitrary code execution within ControlVault through a stack buffer overflow. Meanwhile, CVE-2025-25215 allows memory fragments to be improperly released, paving the way for stealthy malware insertion.
These vulnerabilities were discovered by Cisco researcher Philippe Lallouret, who intends to present his findings at the upcoming Black Hat conference. As of this publication, there is no evidence of exploitation in the wild. However, given that ControlVault secures not only biometric credentials but also access keys for smart cards, NFC tokens, and other multifactor authentication methods, the risk to critical sectors remains considerable.
Dell has stated that it began distributing firmware updates in March and has been actively alerting users to the severity of the issue since June. Firmware support is being provided in collaboration with Broadcom, which has yet to issue an official statement.
The core threat lies in the potential for an attacker to establish persistence at a level that bypasses the operating system entirely. Even with antivirus software, integrity verification tools, and security policies in place, interference with ControlVault remains invisible. In the worst-case scenario, this vulnerability could serve as a long-term foothold for surveillance, theft of encryption keys, and the deployment of undetectable trojans.
