Researchers have discovered a critical vulnerability, CVE-2026-40639, in the BIOS password storage mechanism of a wide range of Dell client devices. The flaw, present in systems using the SystemPwSmm SMM driver, is caused by a weak XOR encryption scheme that allows for the near-instantaneous recovery of plaintext BIOS passwords. An attacker with physical access can read the contents of the device's SPI flash chip and deterministically decrypt the administrator and user passwords. This completely undermines the security provided by the BIOS password, enabling attackers to alter boot settings, disable security features like Secure Boot, and potentially bypass full-disk encryption. Dell has issued an advisory and is in the process of releasing firmware updates.
The vulnerability is rooted in a fundamentally flawed implementation of "encryption" for storing BIOS passwords. Instead of using a strong, one-way hashing algorithm, the firmware encrypts the plaintext password using a simple repeating 20-byte XOR key. The result is stored in a 32-byte field in the SPI flash.
The critical weakness is how the key is exposed. For any password that is 12 characters or shorter, the remainder of the 32-byte storage field is padded with null bytes (0x00). When these null bytes are XORed with the 20-byte key, the key itself is written in plaintext into the padded section of the stored record. An attacker can simply read this record from the SPI flash and extract the key. With the key known, XORing it against the encrypted portion of the record reveals the original password in milliseconds.
This attack requires physical access to the device to connect a standard SPI flash programmer. This is considered a low-complexity attack for a moderately skilled adversary, as described in T1619 - Steal or Forge Authentication Certificates (conceptually similar to stealing a physical key).
The vulnerability affects a broad range of Dell client platforms that use the SystemPwSmm SMM driver. This includes both older and current-generation devices. Confirmed vulnerable models include:
Many other Latitude, XPS, Precision, and Edge Gateway models are also impacted. Dell's security advisory, DSA-2026-197, contains a full list of affected products and the status of firmware patches.
The researchers from MDSec and AmberWolf who discovered the flaw have developed a proof-of-concept exploit. There is no evidence of in-the-wild exploitation at this time, but the public disclosure of the technical details means that threat actors could easily replicate the attack.
An attacker who successfully exploits this vulnerability gains full control over the BIOS/UEFI settings. This allows them to:
T1547.001 - Boot or Logon Autostart Execution).As this attack requires physical access, detection is difficult. The focus should be on identifying vulnerable systems.
Asset Inventory / CMDBfwupdmgr get-devices (Linux) or wmic bios get smbiosbiosversion (Windows)Physical Tamper DetectionDetection of exploitation is nearly impossible post-facto without physical evidence of tampering. The primary focus must be on proactive identification of vulnerable assets.
M1051 - Update Software.M1034 - Limit Hardware Installation.Applying the firmware updates from Dell is the primary and most effective mitigation.
Using full-disk encryption with pre-boot authentication (e.g., BitLocker with PIN) provides a crucial layer of defense against attackers who gain BIOS access.
Strong physical security controls are essential to prevent attackers from gaining the access needed to read the SPI flash.
Researchers privately disclose the vulnerability to Dell.
Dell publishes security advisory DSA-2026-197.
The vulnerability details are publicly disclosed by the researchers.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.