Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Unsafe deserialization in Dell ControlVault3 cvhDecapsulateCmd

IdentifiersCVE-2025-24919CWE-502· Deserialization of Untrusted Data

CVE-2025-24919 is an unsafe deserialization vulnerability in Dell ControlVault3 prior to 5.15.10.14 and ControlVault3 Plus prior to 6.2.26.36. The flaw exists in the host-side cvhDecapsulateCmd functionality used by ControlVault’s Windows APIs to process firmware-defined response data. A specially crafted ControlVault response to a command can be deserialized unsafely by bcmbipdll.dll, leading to memory corruption; the supporting research specifically states this host-side decapsulation path can cause a stack overflow in host processes. The issue is exploitable when an attacker can cause the host to consume a malicious response from compromised or attacker-controlled ControlVault firmware.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the affected host process consuming the malicious ControlVault response. Because the surrounding ControlVault ecosystem includes high-privilege Windows services and biometric paths, exploitation may enable compromise of privileged Windows components and can be used as part of a chain to obtain SYSTEM privileges on the host. In the broader ReVault context, this also supports persistence and post-compromise operations when paired with malicious firmware on the Unified Security Hub.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling unused ControlVault-related functionality and services, especially where fingerprint, smart card, or NFC features are not required. Monitor for abnormal loading of bcmbipdll.dll, unexpected access to the ControlVault device interface, and crashes in related services such as WinBioSvc, bcmHostStorageService, bcmHostControlService, or bcmUshUpgradeService. In higher-risk environments, consider disabling fingerprint login and enabling chassis intrusion detection and Windows Enhanced Sign-in Security where supported.

Remediation

Patch, then assume compromise.

Upgrade Dell ControlVault3 to version 5.15.10.14 or later and ControlVault3 Plus to version 6.2.26.36 or later. Apply Dell/Broadcom-provided firmware and software updates through Dell releases or Windows Update where available. Ensure both the ControlVault firmware and associated Windows API components are updated, since the vulnerable logic is in the host-side API processing path.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
zeropath blogNews
Nov 17, 2025
Dell ControlVault3 CVE-2025-31361 Privilege Escalation: Brief Summary and Technical Review - ZeroPath Blog | ZeroPath

One of the ReVault group of vulnerabilities affecting Dell ControlVault3 firmware and drivers.

Read more
zeropath blogNews
Nov 17, 2025
Dell ControlVault3 Buffer Overflow (CVE-2025-36553): Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath

A previously addressed ReVault family vulnerability impacting Dell ControlVault3, mentioned as part of Dell's firmware security history.

Read more
talosintelligence otherNews
Aug 9, 2025
ReVault! When your SoC turns against you… deep dive edition

An unsafe deserialization vulnerability in ControlVault host-to-firmware return parameter handling that allows a malicious firmware image to alter encapsulation types and trigger host-side stack corruption, potentially leading to SYSTEM code execution.

Read more
talosintelligence otherNews
Aug 5, 2025
ReVault! When your SoC turns against you…

An unsafe deserialization vulnerability affecting Dell ControlVault Windows APIs. The content describes it as usable to pivot from tampered firmware back into Windows and as part of broader ReVault attack chains.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-24919
NVD
nvd.nist.gov/vuln/detail/CVE-2025-24919
MITRE CWE · CWE-502
Deserialization of Untrusted Data
dell.com
dell.com/support/kbdoc/en-us/000276106/dsa-2025-053
talosintelligence.com
talosintelligence.com/vulnerability_reports/TALOS-2025-2153