CVE-2025-24919

high

Description

A deserialization of untrusted input vulnerability exists in the cvhDecapsulateCmd functionality of Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. A specially crafted ControlVault response to a command can lead to arbitrary code execution. An attacker can compromise a ControlVault firmware and have it craft a malicious response to trigger this vulnerability.

References

References
More

https://securityaffairs.com/180883/hacking/over-100-dell-models-exposed-to-critical-controlvault3-firmware-bugs.html

https://www.securityweek.com/flaws-expose-100-dell-laptop-models-to-implants-windows-login-bypass/

https://www.darkreading.com/vulnerabilities-threats/revault-security-flaws-dell-laptops

https://www.bleepingcomputer.com/news/security/revault-flaws-let-hackers-bypass-windows-login-on-dell-laptops/

https://www.theregister.com/2025/08/05/millions_of_dell_pc_with/

https://www.helpnetsecurity.com/2025/08/05/dell-laptops-firmware-vulnerabilities-revault-attacks/

https://therecord.media/critical-firmware-vulnerability-security-professionals

https://hackread.com/dell-laptop-models-vulnerabilities-impacting-millions/

https://blog.talosintelligence.com/revault-when-your-soc-turns-against-you/

https://www.dell.com/support/kbdoc/en-us/000276106/dsa-2025-053

Details

Source: Mitre, NVD

Published: 2025-06-13

Updated: 2025-06-16

Named Vulnerability: ReVault

Risk Information

CVSS v2

Base Score: 6.2

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00056