Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 - The Hacker News

Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Ravie LakshmananFeb 18, 2026Zero-Day / Vulnerability A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024, according to a new report from Google Mandiant and Google Threat Intelligence Group (GTIG). The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Other products, including RecoverPoint Classic, are not vulnerable to the flaw. "This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence," Dell said in a bulletin released Tuesday. The issue impacts the following products - RecoverPoint for Virtual Machines Version 5.3 SP4 P1 - Migrate from RecoverPoint for Virtual Machines 5.3 SP4 P1 to 6.0 SP3, and then upgrade to 6.0.3.1 HF1 RecoverPoint for Virtual Machines Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 - Upgrade to 6.0.3.1 HF1 RecoverPoint for Virtual Machines Versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier - Upgrade to version 5.3 SP4 P1 or a 6.x version, and then apply the necessary remediation  "Dell recommends that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation," it noted. "RecoverPoint for Virtual Machines is not intended for use on untrusted or public networks." "We are aware of less than a dozen impacted organizations, but because the full scale of this campaign is unknown, we recommend that organizations previously targeted by BRICKSTORM look out for GRIMBOLT in their environments," Rich Reece, Manager, Mandiant Consulting at Google Cloud, told The Hacker News via email. Mandiant said it discovered CVE-2026-22769 earlier this year while investigating multiple Dell RecoverPoint for Virtual Machines within an unspecified victim's environment. "The actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage," Reece said. "We anticipate additional companies will find active or historic compromises as they begin hunting using the new IOCs/YARA rules we published." Per Google, the hard-coded credential relates to an "admin" user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT. "This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer," Mandiant's Charles Carmakal added. Google told The Hacker News that the activity has targeted organizations across North America, with GRIMBOLT incorporating features to better evade detection and minimize forensic traces on infected hosts. "GRIMBOLT is even better at blending in with the system's own native files," it added. UNC6201 is also assessed to share overlaps with UNC5221, another China-nexus espionage cluster known for its exploitation of virtualization technologies and Ivanti zero-day vulnerabilities to distribute web shells and malware families like BEEFLUSH, BRICKSTORM, and ZIPLINE. Despite the tactical similarities, the two clusters are assessed to be distinct at this stage. It's worth noting that the use of BRICKSTORM has also been linked by CrowdStrike to a third China-aligned adversary tracked as Warp Panda (aka Clay Typhoon and Storm-2416) in attacks aimed at U.S. entities. A noteworthy aspect of the latest set of attacks revolves around UNC6201's reliance on temporary virtual network interfaces – referred to as "Ghost NICs" – to pivot from compromised virtual machines into internal or SaaS environments, and then delete those NICs to cover up the tracks in an effort to impede investigation efforts. "Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods," Google said. Exactly how initial access is obtained remains unclear, but like UNC5221, it's also known to target edge appliances to break into target networks. An analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell to perform the following set of actions - Monitor incoming traffic on port 443 for a specific HEX string Add the source IP address of that traffic to a list and if the IP address is on the list and connects to port 10443, the connection is ACCEPTED Silently redirect subsequent traffic to port 443 to port 10443 for the next 300 seconds (five minutes) if the IP is on the approved list Furthermore, the threat actor has been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025. While GRIMBOLT also provides a remote shell capability and uses the same command-and-control (C2) as BRICKSTORM, it's not known what prompted the shift to the harder-to-detect malware, and whether it was a planned transition or a response to public disclosures about BRICKSTORM. "Nation-state threat actors continue targeting systems that don't commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times," Carmakal said. The disclosure comes as Dragos warned of attacks mounted by Chinese groups like Volt Typhoon (aka Voltzite) to compromise Sierra Wireless Airlink gateways located in electric and oil and gas sectors, followed by pivoting to engineering workstations to dump config and alarm data. The activity, according to the cybersecurity company, took place in July 2025. The hacking crew is said to acquire initial access from Sylvanite, which rapidly weaponizes edge device vulnerabilities before patches are applied and hands off access for deeper operational technology (OT) intrusions. "Voltzite moved beyond data exfiltration to direct manipulation of engineering workstations investigating what would trigger processes to stop," Dragos said. " This represents the removal of the last practical barrier between having access and causing physical consequences. Cellular gateways create unauthorized pathways into OT networks bypassing traditional security controls." Update The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on February 18, 2026, added CVE-2026-22769 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patch by February 21, 2026. Update In a follow-up analysis published on March 5, 2026, Team Cymru shed more light on the C2 infrastructure associated with GRIMBOLT, using an X.509 certificate's subject field value for the IP address 149.248.11[.]71 – CN=WIN-DO6FVJH67FN – to uncover additional IP addresses using the same certificate: 140.82.18[.]134 and 66.42.111[.]219. "Analysis of these IP addresses revealed that they are also located on the same VPS provider (Vultr) due to their autonomous system number (ASN) being the same in their WHOIS records," security researcher Will Thomas said. "Furthermore, these two additional IP addresses both had the same 3389 (RDP) port open as well." "The overlap of a cryptographically identical X509 certificate, matching autonomous system (ASN) routing, and correlated open port profiles strongly indicates the use of cloned virtual machine images or an automated provisioning script by the threat actor on a single VPS provider, Vultr." (The story was updated after publication on March 6, 2026, with new insights from Team Cymru.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Espionage, Malware, network security, Threat Intelligence, virtualization, Vulnerability, zero-day Trending News Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths