Eclypsium has discovered four vulnerabilities that impact 128 Dell device models, and an estimated 30 million individual devices, that allow threat actors to remotely execute code in a pre-boot environment, according to new research released today.

This chain of vulnerabilities has a cumulative CVSS score of 8.3 (High) because it allows a privileged network adversary to impersonate Dell.com and gain arbitrary code execution at the BIOS/UEFI level of the affected device. Such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls, say Eclypsium researchers. 

The Eclypsium team has coordinated with Dell PSIRT throughout the disclosure process. Dell has issued a Dell Security Advisory and is scheduling BIOS/UEFI updates for affected systems and updates to affected executables from Dell.com. Please reference the Mitigations section for the latest information on how to protect affected devices. 

These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls. As attackers increasingly shift their focus to vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, says, "Dell customers must be prepared to act quickly to ensure their businesses are safe from this vulnerability. But cyber hygiene preparedness varies across companies, and even from team to team within the same company. Cyber readiness can be determined by answering these questions: Do I know what level of risk this vulnerability actually poses to my specific business? Is the risk posed by the Dell Client BIOS vulnerability more critical to my business than other vulnerabilities? Do I have a way to determine (gut feel doesn’t count) whether or not I am comfortable with this risk? Are we properly resourced to do the work necessary to eliminate this risk through an orchestrated, deliberate vulnerability remediation campaign?"