Dell BIOS weakness exposes stored passwords

A flaw in the BIOS firmware of several Dell computers can allow attackers with physical access to recover administrator and user passwords from the device’s flash memory without brute-force cracking.

The vulnerability, tracked as CVE-2026-40639, affects the way certain Dell client platforms protect passwords stored in the system’s Serial Peripheral Interface flash chip. Dell has classified the issue as a medium-severity weakness and released BIOS updates for a range of affected products.

Successful exploitation could give an unauthenticated attacker elevated privileges at the firmware level. This may permit changes to security-sensitive settings, including the boot order, Secure Boot configuration and access to removable media.

ADVERTISEMENT

The flaw was identified by security researchers Craig Blackie of MDSec and Darren McDonald of AmberWolf while examining Dell’s implementation of pre-boot security controls. Their analysis found that passwords were stored in Dell’s proprietary DVAR configuration area using reversible XOR encoding rather than a one-way cryptographic hash.

The vulnerable mechanism is implemented through the SystemPwSmm System Management Mode driver used across multiple Dell platforms. Each BIOS password is stored inside a 32-byte record. The first character remains unencrypted, while the remaining characters are encoded with a repeating 20-byte XOR key.

Unused space in the record is padded with zeros before encryption. Since a zero value XORed with a key produces the key itself, the unused section can disclose enough information to reconstruct the encryption key. For passwords containing up to 12 characters, the full key may be exposed within the same record.

Once the key has been extracted, the stored password can be restored directly. The recovery process is deterministic and can be completed in milliseconds, eliminating the need for dictionary attacks, password guessing or large-scale computing resources.

Longer passwords are not necessarily protected. Dell’s DVAR storage operates as a log-structured system, meaning earlier password records can remain in flash memory after a password is changed. Data from multiple records may help fill gaps in the key and enable recovery of longer credentials.

An attacker would first need to read the BIOS flash. This can be done through direct access to the motherboard using a low-cost flash programmer and a clip attached to the chip. The memory may also be accessible if an attacker can boot an operating system under their control.

The physical-access requirement limits remote exploitation. However, the flaw presents a greater concern for organisations operating unattended systems, thin clients, industrial equipment, kiosks and computers deployed in publicly accessible locations.

The consequences may also extend beyond a single machine. Companies sometimes use a common BIOS password across large groups of computers to simplify administration. Recovering the credential from one device could therefore expose BIOS controls across an entire fleet.

Password reuse could increase the impact further if firmware credentials resemble passwords used for management consoles, support accounts or other internal services. Security teams have been advised to treat any recovered BIOS password as potentially compromised elsewhere.

Dell assigned the vulnerability a CVSS score of 5.7. The score reflects a physical attack vector, no requirement for prior privileges or user interaction, and potentially serious effects on confidentiality and integrity. The researchers assessed the issue at 6.1, arguing that exploitation requires relatively low complexity once access to the flash chip has been obtained.

The affected products listed by Dell include the Edge Gateway 3000 and 5000, Embedded PC 3000 and 5000, Precision 3630 Tower, Precision 3930 Rack, Precision 5540, OptiPlex 7070 Ultra Form Factor and several Latitude models.

Latitude systems named in the advisory include the 3190, 3190 2-in-1, 3310, 3310 2-in-1, 7220 Rugged Extreme, Rugged 5420, Rugged 5424, Rugged 7220EX and Rugged 7424. Required BIOS versions differ by model.

Dell began releasing corrected firmware in June. The company has warned that its published product list may not cover every affected supported version and could be expanded as its investigation and remediation work continue.

Some older systems using the vulnerable storage method are approaching or have passed the end of their support periods. The researchers also confirmed the mechanism on a Wyse 5070 thin client and said the model had not received a fix when their technical findings were published.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com