Multiple vulnerabilities affecting the BIOSConnect feature within Dell Client BIOS were discovered by Eclypsium researchers.

These vulnerabilities allow a hacker on the same network to impersonate Dell.com and execute arbitrary code at the Basic Input/Output System (BIOS) / Extensible Firmware Interface (UEFI) level prior to loading the operating system thus allowing adversaries subvert higher-layer security controls. The issue affects 129 Dell business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs.

In total, this represents more than 30 million terminals worldwide.

Dell issued a Dell Security Advisory and is scheduling BIOS/UEFI updates for affected systems and updates.

All affected BIOS/UEFI systems have to be updated. However, we recommend that users not use BIOSConnect to perform this firmware update. Instead, run the BIOS update executable from the OS after manually checking the hashes against those published by Dell.

  • Using one of the Dell notification solutions to be notified and download BIOS/UEFI updates automatically once available.
  • Visiting the Drivers and Downloads site for updates on the applicable products. To learn more, visit the Dell Knowledge Base article Dell BIOS Updates, and download the update for your Dell computer.
  • Flashing the BIOS from the F12 One-Time Boot Menu.

According to Dell, two of the vulnerabilities have been remediated on the server side, with additional updates coming in July.