Hackers exploit zero-day flaw in Dell RecoverPoint for Virtual Machines - Cybersecurity Dive

Hackers exploit zero-day flaw in Dell RecoverPoint for Virtual Machines Threat actors linked to China have deployed a novel backdoor, according to researchers. Published Feb. 17, 2026 • Updated Feb. 18, 2026 David Jones Reporter Share License Add us on Google Getty Images Threat actors are weaponizing a zero-day vulnerability in Dell RecoverPoint for Virtual Machines in a cyberattack campaign that drops a novel backdoor, according to new findings from Mandiant and Google Threat Intelligence Group.  The product allows users to manage backup and disaster recovery for VMware virtual machines.  The vulnerability, listed as CVE-2026-22769, is a hardcoded credential vulnerability that can allow an unauthenticated attacker to gain access to an underlying system and maintain root-level persistence. The vulnerability has a severity score of 10.  A threat actor Google tracks as UNC6201 has been using the flaw in attacks since at least 2024, with the ability to maintain persistent access, move laterally and deploy Brickstorm, Slaystyle and a novel backdoor called Grimbolt.  Brickstorm is a backdoor written in Go that is used to target VMware vCenter servers, according to researchers.  In these newly disclosed attacks, UNC6201 has replaced Brickstorm malware with Gribolt, a backdoor that is more difficult to detect “This is a C# backdoor compiled using native ahead-of-time compilation, making it harder to reverse engineer,” Charles Carmakal, CTO and board advisor, Mandiant Consulting, said in a LinkedIn post.  Mandiant discovered the vulnerability while investigating multiple instances of Dell RecoverPoint for VirtualMachines within a victim’s environment, according to Austin Larsen, principal threat analyst at GTIG.  Larsen said they are aware of less than a dozen impacted organizations, but warned that organizations previously targeted by Brickstorm should check for Grimbolt in their environments.   Dell, meanwhile, is urging customers to upgrade and apply mitigations it has provided in a new advisory.  “We have received a report of limited active exploitation of this vulnerability,” a spokesperson for Dell told Cybersecurity Dive. The company urged customers to immediately implement one of the remediations detailed in the security advisory. The Cybersecurity and Infrastructure Security Agency on Wednesday added CVE-2026-22769 vulnerability to its Known Exploited Vulnerabilities Catalog.  Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter Email: Sign up The agency is “actively combating the multi-year Brickstorm threat campaign” through collaboration with government, industry and international partners, according to Nick Andersen, executive assistant director for cybersecurity at CISA.  “Hard coded credentials remain a critical risk and CISA urges all organizations to take decisive steps now to mitigate exposure and prevent compromise,” Andersen told Cybersecurity Dive.  Editor’s note: Updates with comment from CISA. Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Vulnerability