Dell BIOS Flaw Lets Attackers Recover Admin Passwords From SPI Flash in Milliseconds Cybersecurity
Key Facts
- Tracked as CVE-2026-40639 and addressed in Dell Security Advisory DSA-2026-197, the issue affects certain Dell client platforms that use the proprietary DVAR configuration store and the SystemPwSmm SMM driver.
- It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, supported Wyse 5070 thin client, which remains unpatched.
- Dell […] The post Dell BIOS Flaw Lets Attackers Extract Plaintext Passwords Without Brute Force appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
- A critical flaw in how Dell stores BIOS administrator and user passwords allows full password recovery from a flash dump in milliseconds, with no brute force required.
- Dell validated the findings and issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms (Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines), with additional fixes targeted for the end of July 2026.
Tracked as CVE-2026-40639 and addressed in Dell Security Advisory DSA-2026-197, the issue affects certain Dell client platforms that use the proprietary DVAR configuration store and the SystemPwSmm SMM driver. The issue is tracked as CVE-2026-40639. It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, supported Wyse 5070 thin client, which remains unpatched.
TL;DR
- Dell […] The post Dell BIOS Flaw Lets Attackers Extract Plaintext Passwords Without Brute Force appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
- A critical flaw in how Dell stores BIOS administrator and user passwords allows full password recovery from a flash dump in milliseconds, with no brute force required.
- Dell validated the findings and issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms (Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines), with additional fixes targeted for the end of July 2026.
Independent reporting: This account is corroborated by 2 independent sources, including primary advisories where available.
How the iOS Incident Unfolded
The researchers and Dell disagree slightly on CVSS scoring: Dell rates it 5.7, while the researchers argue for 6.1, based on differing views of Attack Complexity.
Further details indicate that the researchers recommend Dell move to salted, iterated password hashing across all platforms and securely erase historical DVAR records, while advising defenders not to rely on BIOS passwords alone to protect encrypted boot chains.
Longer passwords leave a small blind zone, but the researchers found a way around it: Dell’s key derivation uses only a fixed per-device seed, a GUID, and the single unencrypted first character of the password.
Newer models like the OptiPlex 3000 use a proper SHA-256-based SIVB vault and are not vulnerable, showing Dell has a fix available but hasn’t rolled it out everywhere.
Technical Details
CVEs:
Technical specifics on the underlying mechanism remain under review by security researchers.
Impact
It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, supported Wyse 5070 thin client, which remains unpatched. Newer models like the OptiPlex 3000 use a proper SHA-256-based SIVB vault and are not vulnerable, showing Dell has a fix available but hasn’t rolled it out everywhere. Dell validated the findings and issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms (Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines), with additional fixes targeted for the end of July 2026.
Timeline
| Date | Event | |, , |, , -| | 7250 | It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Lat… | | 2026 | Researchers privately disclosed the issue to Dell in March 2026. | | 2026 | Tracked as CVE-2026-40639 and addressed in Dell Security Advisory DSA-2026-197, the issue affects certain Dell client… |
What To Do Now
-
Longer passwords leave a small blind zone, but the researchers found a way around it: Dell’s key derivation uses only a fixed per-device seed, a GUID, and the single unencrypted first character of the password.
-
It affects the SystemPwSmm SMM driver used broadly across Dell client platforms, confirmed on the Latitude E7250, Latitude 7490, XPS 15 9560, and notably the current-generation, supported Wyse 5070 thin client, which remains unpatched.
-
Newer models like the OptiPlex 3000 use a proper SHA-256-based SIVB vault and are not vulnerable, showing Dell has a fix available but hasn’t rolled it out everywhere.
-
Dell validated the findings and issued DSA-2026-197 on June 9, 2026, patching an initial batch of platforms (Edge Gateway, Embedded PC, Precision, and Rugged Latitude lines), with additional fixes targeted for the end of July 2026.
-
The researchers recommend Dell move to salted, iterated password hashing across all platforms and securely erase historical DVAR records, while advising defenders not to rely on BIOS passwords alone to protect encrypted boot chains.
Analysis
This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.
Sources & References
- CVE-2026-40639 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-40639
- CVE-2026-40639 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Weekly Metasploit Update: Exploits for FlowiseAI CSV Agent and MacOS Package Kit Cybersecurity
Flowise CSV Agent Prompt Injection RCE Authors: Takahiro Yokoyama and zdi-disclosures Type: Exploit Pull request: 21407 contributed by Takahiro-Yoko Path...
TechnologyCritical vulnerability in Red Hat OpenShift AI (RHOAI) Cybersecurity (CVE-2026-15378)
Skip to navigation Skip to main content Utilities Subscriptions Downloads Red Hat Console Get Support Subscriptions Downloads Red Hat Console Get Support...
TechnologyWP-SHELLSTORM Exposed: Hackers Backdoored Thousands of WordPress Websites Cybersecurity
Treat the Joomla JCE flaw (CVE-2026-48907, fixed in 2.9.99.5) as urgent too, since it is a maximum-severity and on CISA's actively-exploited list, even...
TechnologyProgress Urges ShareFile Admins to Shut Down Servers Over Credible Security Threat Cybersecurity
In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score...