Close Menu
Edu Expertise Hub
    Facebook X (Twitter) Instagram
    Wednesday, August 6
    • About us
    • Contact
    • Submit Coupon
    Facebook X (Twitter) Instagram YouTube
    Edu Expertise Hub
    • Home
    • Udemy Coupons
    • Best Online Courses and Software Tools
      • Business & Investment
      • Computers & Internet
      • eBusiness and eMarketing
    • Reviews
    • Jobs
    • Latest News
    • Blog
    • Videos
    Edu Expertise Hub
    Home » Latest News » Attacker could defeat Dell firmware flaws with a vegetable
    Latest News

    Attacker could defeat Dell firmware flaws with a vegetable

    TeamBy TeamAugust 5, 2025No Comments5 Mins Read0 Views
    Facebook Twitter Pinterest LinkedIn Telegram Tumblr Email
    Attacker could defeat Dell firmware flaws with a vegetable
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Over 100 models of Dell laptop PCs across the enterprise-centric Lattitude and Precision ranges, and many thousands of individual devices, are at risk of compromise through a series of five common vulnerabilities and exposures (CVEs) that affect their security firmware and associated Microsoft Windows application programming interfaces (APIs), according to a new disclosure from the Cisco Talos threat lab.

    Collectively dubbed ReVault by the Talos researchers who discovered it, the vulnerabilities can be used by a malicious actor to maintain access to the victim device even if Windows has been reinstalled, and can also be used as a physical compromise to bypass Windows Login, or enable a local user to obtain admin or system-level rights.

    According to Phillipe Laulheret, a senior vulnerability researcher at Cisco Talos, the vulnerabilities centre on the hardware-based ControlVault3 solution that manages passwords, biometric templates and other security codes within the device firmware on a daughter board, which Dell refers to as a Unified Security Hub (USH). This hub can be used to connect peripheral security devices, like a fingerprint reader or near-field communications (NFC) device.

    In a blog post, Laulheret wrote that vulnerabilities on ControlVault USHs were potentially highly dangerous.

    “These laptop models are widely-used in the cyber security industry, government settings and challenging environments in their rugged version. Sensitive industries that require heightened security when logging in – via smartcard or NFC – are more likely to find ControlVault devices in their environment, as they are necessary to enable these security features,” he explained.

    The five newly-published CVEs are tracked as CVE-2025-24311 and CVE-2025-25050, both out-of-bounds flaws, an arbitrary free vulnerability tracked as CVE-2025-25215, and a stack overflow bug tracked as CVE-2025-24922. The fifth issue affecting ControlVault’s Windows APIs is an unsafe deserialisation flaw tracked as CVE-2025-24919.

    Spring onions: the newest cyber attack vector

    The Talos disclosure detailed a number of potential exploitation scenarios. For example, an attacker with limited rights could interact with the ControlVault firmware via its APIs to trigger arbitrary code execution on the firmware, from where they could steal key material that could be used to permanently modify said firmware. This would enable them to establish persistence, unnoticed by the victim, and pivot back to do more damage down the line.

    In a different scenario, a local attacker who had managed to gain physical access to a laptop could open the body and directly access the USH via a universal serial bus (USB) connection, at which point the other four vulnerabilities would all become exploitable, with no need for the attacker to have logged onto the system or to have obtained a full-disk encryption password.

    If the system was configured to accept a fingerprint when logging on, it would also be possible to tamper with the firmware to that it would accept any input, including non-human ones such as vegetables; a video posted by Cisco shows a spring onion being used to unlock a vulnerable laptop.

    Next steps for salad dodgers

    The spring onion demo being an amusing ‘first’ for the cyber security industry, the ReVault flaws clearly do have serious impacts, said Cisco Talos, and demonstrate the importance of evaluating the security of hardware components, which can be overlooked in comparison to software flaws.

    Organisations are advised to ensure the latest firmware is installed – which can be done via Windows Update – or via Dell. If organisations are not using any security peripherals, it may be worth disabling ControlVault services in the Service Manager or the device itself in Device Manager.

    To avoid the spring onion attack if this is a concern, security teams may also wish to consider disabling fingerprint-based login in situations where risks may be heightened, or by activating Windows Enhanced Sign-in Security (ESS).

    For attack detection, depending on the model of device it can be possible to detect a chassis intrusion via the Basic Input/Output System (BIOS). Security teams can also look for unexpected Windows Biometric Service or Credential Vault crashes in the device logs, and anybody using Cisco Secure Endpoint can use the signature definition ‘bcmbipdll.dll Loaded by Abnormal Process’.

    Dell released updates addressing the ReVault vulnerabilities on 13 June and advised customers at that time.

    “Working with our firmware provider, we addressed the issues quickly and transparently disclosed the reported vulnerabilities in accordance with our Vulnerability Response Policy,” a spokesperson told Computer Weekly.

    “Customers can review the Dell Security Advisory DSA-2025-053 for information on affected products, versions, and more. As always, it is important that customers promptly apply security updates that we make available and move to supported versions of our products to ensure their systems remain secure,” they said.

    Dell added: “Collaborating with industry partners and the research community on coordinated disclosures is a key part of strengthening the security of our products and advancing the broader technology industry.”

    This post is exclusively published on eduexpertisehub.com

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Team

      Related Posts

      As schools embrace AI, an educator offers top tips, cautions, and predictions

      August 5, 2025

      Black Hat USA: Halcyon and Sophos tag-team ransomware fightback

      August 5, 2025

      Rolling Back Education Access for Undocumented Students

      August 4, 2025

      A practical guide for sourcing edtech

      August 4, 2025

      Securing agentic identities focus of Palo Alto’s CyberArk buy

      August 3, 2025

      How My Students Found Their Voice Through Global Learning

      August 3, 2025
      Courses and Software Tools

      Extreme Privacy: What It Takes to Disappear

      August 24, 202460 Views

      Modern C++ Programming Cookbook: Master Modern C++ with comprehensive solutions for C++23 and all previous standards

      September 18, 202428 Views

      Meebook E-Reader M7 | 6.8′ Eink Carta Screen | 300PPI Smart Light | Android 11 | Ouad Core Processor | Out Speaker | Support Google Play Store | 3GB+32GB Storage | Micro-SD Slot | Gray

      August 19, 202423 Views

      Coders at Work: Reflections on the Craft of Programming

      April 19, 202518 Views

      HR from the Outside In: Six Competencies for the Future of Human Resources

      May 20, 202517 Views
      Reviews

      Ultimate Web Development Course 2025 – Build Modern Websites | Udemy Coupons 2025

      August 6, 2025

      UI/UX Front End Developer

      August 6, 2025

      Attacker could defeat Dell firmware flaws with a vegetable

      August 5, 2025

      CapCut for Cinematography Motion Graphics and Social Media | Udemy Coupons 2025

      August 5, 2025

      Medical Laboratory Scientist II- Chemistry

      August 5, 2025
      Stay In Touch
      • Facebook
      • YouTube
      • TikTok
      • WhatsApp
      • Twitter
      • Instagram
      Latest News

      Attacker could defeat Dell firmware flaws with a vegetable

      August 5, 2025

      As schools embrace AI, an educator offers top tips, cautions, and predictions

      August 5, 2025

      Black Hat USA: Halcyon and Sophos tag-team ransomware fightback

      August 5, 2025

      Rolling Back Education Access for Undocumented Students

      August 4, 2025

      A practical guide for sourcing edtech

      August 4, 2025
      Latest Videos

      Digital Marketing Course in Telugu | Career and Job Placement for Btech Students – Odmt Hyderabaf

      August 5, 2025

      How to become an ethical hacker||Learn Cybersecurity. #ethicalhackingbooks #hacker #ethical_hacking

      August 4, 2025

      Why SEO? #seo #copywriting #digitalmarketing #career #businessgrowth #searchengineoptimization

      August 2, 2025

      Tom Brady throws his 600th career NFL TD pass | October 24, 2021 | Buccaneers vs. Bears

      July 31, 2025

      Is the Future of Cyber Security jobs at Risk? (Tech Layoffs Surge!!)

      July 30, 2025
      Latest Jobs

      UI/UX Front End Developer

      August 6, 2025

      Medical Laboratory Scientist II- Chemistry

      August 5, 2025

      Water Wastewater Engineer

      August 5, 2025

      Regional Operations Manager – Newark, NJ (In Field/Remote)

      August 5, 2025

      Senior Accountant / Accounting Supervisor – Manufacturing Industry

      August 5, 2025
      Legal
      • Home
      • Privacy Policy
      • Cookie Policy
      • Terms and Conditions
      • Disclaimer
      • Affiliate Disclosure
      • Amazon Affiliate Disclaimer
      Latest Udemy Coupons

      Mastering Maxon Cinema 4D 2024: Complete Tutorial Series | Udemy Coupons 2025

      August 22, 202435 Views

      Advanced Program in Human Resources Management | Udemy Coupons 2025

      April 5, 202534 Views

      Diploma in Aviation, Airlines, Air Transportation & Airports | Udemy Coupons 2025

      March 21, 202530 Views

      Time Management and Timeboxing in Business, Projects, Agile | Udemy Coupons 2025

      April 2, 202522 Views

      Python Development & Data Science: Variables and Data Types | Udemy Coupons 2025

      May 24, 202521 Views
      Blog

      Supplements for Busy Women That Actually Work?

      July 29, 2025

      Kick-Start Your Career This Summer: 6 Tips For Job Seekers

      July 25, 2025

      What To Do After Getting A Promotion At Work | Career Tips

      July 24, 2025

      How to Build a Marketing Team That Doesn’t Waste Time, Talent, or Budget

      July 18, 2025

      4 Ways To Keep Your Job Search Active This Summer

      July 16, 2025
      Facebook X (Twitter) Instagram Pinterest YouTube Dribbble
      © 2025 All rights reserved!

      Type above and press Enter to search. Press Esc to cancel.

      We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
      .
      SettingsAccept
      Privacy & Cookies Policy

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
      Non-necessary
      Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
      SAVE & ACCEPT