Dell BIOS Flaw Lets Attackers Extract Plaintext Passwords Without Brute Force
A newly disclosed Dell BIOS password-storage flaw can allow attackers with physical access to recover administrator and user passwords from SPI flash dumps in milliseconds.
Tracked as CVE-2026-40639 and addressed in Dell Security Advisory DSA-2026-197, the issue affects certain Dell client platforms that use the proprietary DVAR configuration store and the SystemPwSmm SMM driver.
Dell describes the vulnerability as a weak password-encoding issue that could allow an unauthenticated attacker with physical access to gain elevated privileges.
Critical Dell BIOS Vulnerability
The MDsec found that vulnerable devices do not store BIOS passwords as one-way hashes. Instead, firmware stores passwords in a 32-byte field using repeating-key XOR encryption.
The first password character is written to flash unencrypted, while the remaining bytes are XORed with a 20-byte key. This design exposes the encryption key through null-byte padding.
Since password records are padded to 32 bytes, the ciphertext corresponding to each unused byte is effectively the raw XOR key byte.
For passwords of up to 12 characters, the padding leaks all 20 key bytes, allowing complete and deterministic recovery of the plaintext password without brute-force, known-plaintext, or side-channel techniques.
“Anything XORed with zero is itself,” the researchers explained. Once an attacker extracts the key from the padded region, they can XOR the encrypted bytes to reconstruct the BIOS password.
For longer passwords, some key bytes may not appear in the null-padded area of a single record. However, the team discovered that the key derivation is largely device-static: it uses a per-device seed, a variable GUID, and the first password byte, which is stored in plaintext.
This leaves only 256 possible keys per device. The DVAR store’s log-structured behavior further worsens the problem. Previous password records remain in flash after a password is changed, even when marked deleted.
If a historical password is shorter and begins with the same character as the active password, attackers can recover the historical key and use it to decrypt the current, longer password.
MDSec confirmed the flaw on Dell Latitude E7250, Latitude 7490, XPS 15 9560, and Wyse 5070 systems. The Wyse 5070 remains supported but was reportedly unpatched at the time of publication.
Newer Dell systems, including the Optiplex 3000, use a different Security Information Vault Block design that stores a SHA-256 password hash within an encrypted vault and was not found to be vulnerable in testing.
Dell assigned the vulnerability a CVSS 3.1 score of 5.7, while the researchers argue it should score 6.1. The disagreement centers on attack complexity: Dell rates it High, while the researchers contend recovery is Low complexity once an attacker obtains a flash dump.
Exploitation requires physical access to the device or the ability to boot an attacker-controlled operating system. An attacker could use an inexpensive SPI programmer and a flash clip to read the firmware directly, recover the BIOS password, alter boot settings, disable Secure Boot, or boot from external media.
Organizations should apply Dell firmware updates, avoid reusing BIOS passwords across systems, and treat affected BIOS passwords as recoverable rather than secret.
Defenders should also rely on layered controls, including Secure Boot, TPM-measured boot, correctly configured full-disk encryption, physical device protections, and secure asset-disposal practices.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.