Researchers from MDSec and AmberWolf have identified a significant vulnerability (CVE-2026-40639) in how Dell BIOS administrator passwords are stored on various hardware platforms. On affected systems, passwords are not hashed but are instead XOR-encrypted within the DVAR region of the SPI flash chip. Due to a mismatch between the 32-byte password field and the 20-byte encryption key, short passwords leak the full key through null-padding, allowing for deterministic recovery of cleartext credentials in milliseconds using a simple flash dump.
This flaw provides a physical-access bypass for critical security controls such as Secure Boot and boot order restrictions, potentially compromising Full Disk Encryption (FDE) chains. The vulnerability persists in both legacy hardware and some current models like the Wyse 5070. While Dell has started rolling out patches and transitioned newer architectures to a secure SHA-256 vault (SIVB), many devices remain unpatched. Defenders are advised to treat BIOS passwords as obfuscation rather than robust protection and to implement unique passwords alongside hardware-level physical security.
Top comments (0)