CVE-2025-31649
A hard-coded password vulnerability exists in the ControlVault WBDI Driver functionality of Dell ControlVault3 5.14.3.0. A specially crafted ControlVault API call can lead to execute priviledged operation. An attacker can issue an api call to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Broadcom BCM5820X
Dell ControlVault3 5.14.3.0
ControlVault3 - https://dell.com/ BCM5820X - https://www.broadcom.com/products/embedded-and-networking-processors/secure/bcm5820x
8.7 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CWE-798 - Use of Hard-coded Credentials
Dell ControlVault is a hardware based solution that can securely store passwords, biometric templates and security codes. It can interface with smart cards, Near-field Communication (NFC) devices and fingerprint readers. The hardware solution is based on the Broadcom BCM5820X chip series.
Control Vault WBDI Driver is Broadcom’s implementation of the Windows Biometric Driver Interface (WBDI) leveraging the Control Vault hardware to provide biometrics features using Windows APIs. The relevant features are implemented inside three DLLs (BrcmEngineAdapter.dll, BrcmSensorAdapter.dll, BrcmStorageAdapter.dll). The vulnerabilities in this reports are found inside Broadcom’s implementation of the Engine and Storage Adapters.
When a user wants to enroll a new fingerprint via the Windows Biometric Framewrok, a multiple step process is initiated where a fingerprint is captured and a so-called “template” is generated and stored on device. A handle to this template is sent back from the Control Vault device back to Windows, which is then stored inside the Storage Adapter’s database. It is possible for Windows to also provide a “Payload” object that will be used to authenticate the reader and template information upon subsequent interaction with the fingerprint reader.
Templates (and payloads) are considered sensitive information and as such, the Broadcom driver protects the access to these objects via an (undocumented) authentication parameter. Control Vault supports various undocumented authentication mechanism, but in this instance, Broadcom made the curious choice to use a hardcoded passphrase to protect these objects. As such, any user with knowledge of the passphrase can tamper with the template and payload data.
We can see this in action in the following code tidibit from WBFUSH_CommitEnrollment in BrcmEngineAdapter.dll:
*(_DWORD *)pObjAttributes = 0x40000;
*(_DWORD *)pAuthLists = 0xFF0101;
*(_DWORD *)&pAuthLists[4] = 0xD0000; // [1]
pAuthLists[8] = 12;
strcpy(&pAuthLists[9], "BroadcomWBF");
log_stuf((wchar_t *)L"WBFUSH_CommitEnrollment() calling CSS_FingerprintCommitEnrollment()\n", v12);
status = load_bcm();
if ( !status )
status = CSS_FingerprintCommitEnrollment(
enrollmentID,
8u, // atribute length
pObjAttributes,
0x15u, //auth list length
pAuthLists,
(unsigned int *)pTemplateLength,
0i64,
pTemplateHandle);
The auth list is defined at [1] and we can see it uses the hardcoded phrase BroadcomWBF as passphrase.
The exact same code pattern is also found in other functions inside BrcmEngineAdapter.dll: BrcmEngineAdapterCommitEnrollment, WBFUSH_CreatePayloadObject, WBFUSH_GetPayloadObject and finally one function inside BrcmStorageAdapter.dll: WBFUSH_DeleteObject.
From there it is possible to any local user to tamper with an other user’s template or payload, and it may also be possible to exfiltrate the content of either one, however the template’s size are too large for a regular call to cv_get_object and as such some creative methods may have to be found first (e.g maybe relying on cv_export_object) .
2025-04-22 - Vendor Disclosure
2025-06-13 - Vendor Patch Release
2025-11-17 - Public Release
Discovered by Philippe Laulheret of Cisco Talos.