Security experts on Tuesday disclosed flaws in Broadcom’s ControlVault, a chip found in many Dell laptops designed for security, which could be exploited to steal sensitive information. 

Designed as a standalone security unit, ControlVault is a system-on-chip (SoC) isolated from the device’s editable areas. Dell describes it as “a secure bank” holding passwords, biometric data, and security codes.  

Cisco Talos reported Tuesday that hackers can break into the ControlVault chip, change its firmware, steal data from the secure “bank,” and hide malware beyond the reach of operating system antivirus software.  

Dell’s spokesperson stated that the company warned customers in June of the vulnerability’s “critical” severity and, since March, has partnered with its firmware supplier to resolve the flaws and roll out updates. 

The flaws impact over 100 Dell laptop models, notably the Latitude and Precision series, which are common in cybersecurity, government, and rugged-environment deployments, researchers reported. 

According to researchers, the ReVault issue stems from five vulnerabilities, the most critical being CVE-2025-24919. This flaw makes ControlVault remotely accessible without admin rights, using current Windows APIs. 

An out-of-bounds read bug, CVE-2025-24311, can reveal data meant to remain inside ControlVault, while CVE-2025-25050, an out-of-bounds write flaw, permits unauthorized writing to the vault. 

Through CVE-2025-24922, a stack buffer overflow, hackers can run code in ControlVault; CVE-2025-25215, an arbitrary free flaw, allows clearing memory and implanting hidden malware within the chip. 

Philippe Laulheret, the Cisco senior researcher who uncovered the flaw, stated there is no indication the vulnerabilities have been used in real-world attacks.