Dell ControlVault3 & ControlVault3 Plus Vulnerability – Remediation via Intune

1. Overview

In August 2025, Cisco Talos researchers disclosed a series of critical vulnerabilities in Dell ControlVault3 and ControlVault3 Plus firmware, explained in their research “ReVault: When Your SOC Turns Against You”.
Dell confirmed these issues in DSA-2025-053 and released updated firmware to remediate the risk.

These vulnerabilities affect the secure coprocessor responsible for storing and protecting authentication secrets, cryptographic keys, and biometric credentials. Exploitation could allow an attacker with local access to:

• Bypass hardware-based security controls
• Extract sensitive credentials from secure storage
• Escalate privileges on the endpoint
• Tamper with secure authentication mechanisms

Given ControlVault’s central role in endpoint security, remediation is critical to prevent potential compromise of enterprise authentication systems.

2. Fixed Firmware and Packaged Versions

Dell published two key version identifiers for remediation:

• Firmware Remediated Version – The minimum firmware version installed on the device after update.
• Dell Packaged Remediated Version – The Dell update package version that contains the remediated firmware.

ControlVault3 (Standard)

• Firmware Remediated Version: 5.15.7.0
• Dell Packaged Remediated Version: 5.15.10.14 or later
• Dell Package: Dell-ControlVault3-Driver-and-Firmware_G7K77_WIN64_5.15.10.14_A31_01.EXE

ControlVault3 Plus

• Firmware Remediated Version: 6.2.24.0
• Dell Packaged Remediated Version: 6.2.26.36 or later
• Dell Package: Dell-ControlVault3-Plus-Driver-and-Firmware_TWF65_WIN64_6.2.26.36_A09_01.EXE

3. Affected Models

Both Standard and Plus variants cover a wide range of Dell devices including Latitude, Precision, Rugged, and Pro/Max series.
The full affected model lists are published in Dell’s official advisory (DSA-2025-053) and should be used for targeting.

4. Why Direct Deployment of Dell’s EXEs Fails in Intune

Dell’s firmware update packages are self-extracting executables. While they install correctly when run manually, they frequently fail under Microsoft Intune’s Win32 silent deployment framework. This could be due to the EXE’s self-extraction process not being fully silent

Solution: Manually extract the Dell EXE and run the underlying firmware installer (CVHCI64.exe) directly via a custom PowerShell install script.

5. Remediation Deployment Plan via Intune

Step 1 – Extract the Dell Package

1. Download the correct package from Dell Support.
2. Run the EXE on a test machine or extract with 7-Zip.
3. Collect the following files for packaging:
   • Production folder
   • CVHCI64.exe
   • mup.xml
   • package.xml

Step 2 – Use Pre-Built Intune Scripts

I have written install and detection script and is tested on Intune Win32 app packages for both Standard and Plus variants, each containing:

• PowerShell install script – Runs CVHCI64.exe silently.
• Detection script – Checks firmware version against remediation criteria.
• All required firmware files from the Dell package.

Download from GitHub:

• ControlVault3 (Standard)
  GitHub – Dell ControlVault3 Driver and Firmware
• ControlVault3 Plus
  GitHub – Dell ControlVault3 Plus Driver and Firmware

---

Step 3 – Package into Intune

1. Place the extracted firmware files and scripts into a working directory.
2. Convert to .intunewin format using the Microsoft Win32 Content Prep Tool.
3. Create a Win32 App in Intune with:
   • Install Command: powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File Install-ControlVault-Std.ps1
   • Uninstall Command: powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File Install-ControlVault-Std.ps1
   • Detection Rule: Use detection script from GitHub repo.
4. Assign the app to dynamic device groups filtered by model to ensure only affected devices receive the update or you can just scope to Dell devices only as script installs the driver only on the allowed versions specified into the script.

---

Step 4 – Verification Post-Deployment

• Intune Console: Check Device Install Status to ensure devices report as “Installed”.
• Manual Check:
  • Open Device Manager → Security Devices → Dell ControlVault
  • Confirm firmware version meets remediation requirements:
    • ControlVault3: Firmware ≥ 5.15.7.0 and Package ≥ 5.15.10.14
    • ControlVault3 Plus: Firmware ≥ 6.2.24.0 and Package ≥ 6.2.26.36
• Optional: Run detection script manually to confirm correct exit code (0 = Installed).

---

7. References

• Dell Security Advisory: DSA-2025-053
• Cisco Talos Research: ReVault – When Your SOC Turns Against You
• ControlVault3 Script Repo: Dell ControlVault3 Driver and Firmware
• ControlVault3 Plus Script Repo: Dell ControlVault3 Plus Driver and Firmware