A suspected Chinese state-linked group exploited a critical Dell RecoverPoint flaw (CVE-2026-22769) in zero-day attacks starting mid-2024.

Mandiant and Google’s Threat Intelligence Group (GTIG) reported that a suspected China-linked APT group quietly exploited a critical zero-day flaw in Dell RecoverPoint for Virtual Machines starting in mid-2024.

“Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0.” reads the report published by Google. “Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.”

The vulnerability, tracked as CVE-2026-22769, involves hardcoded credentials and was abused to gain access to VMware backup systems.

“Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.” reads the advisory published by Dell.”Dell has received a report from Google/Mandiant of limited active exploitation of this vulnerability. Dell strongly recommends that customers apply one of the remediations below to address this vulnerability as soon as possible.”

The China-nexus group exploited the bug to move laterally, maintain persistence, and deploy malware such as SLAYSTYLE, BRICKSTORM, and a new C# backdoor, GRIMBOLT. Researchers observed advanced tactics, including stealthy VMware pivoting via “Ghost NICs” and Single Packet Authorization with iptables. Dell has released patches and mitigation guidance.

During investigations into compromised Dell RecoverPoint appliances, Mandiant researchers discovered that attackers replaced BRICKSTORM with a new C# backdoor, GRIMBOLT, in September 2025. GRIMBOLT is compiled using Native AOT and packed with UPX. The malware provides remote shell access and reuses BRICKSTORM’s command-and-control channels.

“It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.” continues the report. “It’s unclear if the threat actor’s replacement of BRICKSTORM with GRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners.”

The attackers ensured persistence by modifying a legitimate startup script so the backdoor runs automatically at boot.

While investigating compromised Dell RecoverPoint systems, Mandiant uncovered CVE-2026-22769 after spotting Tomcat Manager access using hardcoded admin credentials. Attackers uploaded a malicious WAR file containing the SLAYSTYLE web shell, gaining root command execution as early as mid-2024. The group also expanded into VMware environments, creating “Ghost NICs” for stealthy lateral movement and using iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances.

Google released Indicators of Compromise (IOCs) and Yara rules for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dell RecoverPoint)

SOC Prime has recently covered a wave of actively exploited zero-days across major ecosystems, including Apple’s CVE-2026-20700 and Microsoft’s CVE-2026-20805, alongside a fresh Chrome zero-day case. But the avalanche of threats keeps marching into 2026. Recently, researchers from Mandiant and Google Threat Intelligence Group (GTIG) detailed the active exploitation of CVE-2026-22769, a maximum-severity hardcoded-credential vulnerability in Dell products.

The spotlight is on Dell RecoverPoint for Virtual Machines, a VMware-focused backup and disaster recovery solution that has become the target of an in-the-wild zero-day campaign attributed to suspected China-nexus activity. Tracked with a CVSS score of 10.0, CVE-2026-22769 has reportedly been exploited by the China-linked cluster UNC6201 since at least mid-2024, enabling attackers to establish access and deploy multiple malware families, including BRICKSTORM and GRIMBOLT.

SOC Prime Platform helps security teams close the gap between “a CVE was disclosed” and “we have detection intel.” Sign up now to access the world’s largest detection intelligence dataset, backed by advanced solutions to take your SOC to the next level. Click Explore Detections to reach vulnerability-focused detection content pre-filtered by the “CVE” tag. 

Explore Detections

All rules are compatible with dozens of SIEM, EDR, and Data Lake formats and mapped to MITRE ATT&CK®. Additionally, each rule is enriched with extensive metadata, including CTI references, Attack Flow visualization, triage recommendations, audit configurations, and more.

Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2026-22769 Analysis

In its advisory from February 17, 2026, Dell describes CVE-2026-22769 as a hardcoded credential vulnerability in RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1, and assigns it a highest severity rating. Dell warns that an unauthenticated remote attacker who knows the hardcoded credential could gain unauthorized access to the underlying operating system and even establish root-level persistence. 

GTIG and Mandiant’s investigation adds the operational detail behind that impact. Security experts observed activity against the appliance’s Apache Tomcat Manager, including web requests using the admin username that resulted in the deployment of a malicious WAR file containing the SLAYSTYLE web shell. The researchers then traced this back to hard-coded default credentials for the admin user in Tomcat Manager configuration at /home/kos/tomcat9/tomcat-users.xml. Using those credentials, an attacker could authenticate to Tomcat Manager and deploy a WAR via the /manager/text/deploy endpoint, leading to command execution as root on the appliance. 

UNC6201 is assessed to have used this foothold for lateral movement, persistence, and malware deployment, with the earliest identified exploitation dating back to mid-2024. The initial access vector was not confirmed in these cases, but GTIG notes UNC6201 is known for targeting edge appliances as an entry point.

The post-compromise tooling also evolved over time. Mandiant reports finding BRICKSTORM binaries and then observing a replacement with GRIMBOLT in September 2025. GRIMBOLT is described as a C# backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX, providing remote shell capability while using the same C2 as BRICKSTORM. The researchers note it is unclear whether the swap was a planned upgrade or a response to incident response pressure.

The activity did not stop at the RecoverPoint appliance. Mandiant reports that UNC6201 pushed deeper into victims’ virtualized environments by creating temporary virtual network ports on VMware ESXi servers, effectively spinning up hidden network connectivity commonly referred to as “Ghost NICs.” This technique allowed the attackers to move quietly from compromised VMs into broader internal networks and, in some cases, toward SaaS environments.

Researchers also report overlaps between UNC6201 and another China-nexus cluster tracked as UNC5221, known for exploiting Ivanti zero-days and previously linked in reporting to Silk Typhoon, though GTIG notes these clusters are not considered identical.

CVE-2026-22769 Mitigation

Dell’s remediation guidance is clear, but it requires follow-through. For the 6.x line, Dell points customers to upgrade to 6.0.3.1 HF1 or apply the vendor remediation script referenced in the advisory, and it also provides migration/upgrade paths for affected 5.3 service pack builds.

To strengthen coverage beyond patching, rely on the SOC Prime Platform to reach the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and stay ahead of emerging threats.

The post CVE-2026-22769: Critical Dell RecoverPoint Zero-Day Exploited in the Wild appeared first on SOC Prime.