U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2021-22175 (CVSS score 6.8) GitLab Server-Side Request Forgery (SSRF) Vulnerability
• CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability

The first vulnerability added to the catalog is a server-side request forgery (SSRF) issue in GitLab, tracked as CVE-2021-22175.

“When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled” reads the advisory.

In March 2025, Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting that attackers may be leveraging Grafana as an initial entry point for deeper exploitation. One of the vulnerabilities exploited in the attacks observed by the experts is CVE-2020-7796. Most Server-Side Request Forgery exploitation attempts targeted entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.

The experts warned that attackers leverage SSRF for pivoting and reconnaissance and cloud exploitation.

The second flaw added to the KeV catalog is a Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability tracked as CVE-2026-22769. The vulnerability involves hardcoded credentials and was abused to gain access to VMware backup systems.

This week, Mandiant and Google’s Threat Intelligence Group (GTIG) reported that a suspected China-linked APT group quietly exploited a critical zero-day flaw in Dell RecoverPoint for Virtual Machines starting in mid-2024.

“Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0.” reads the report published by Google. “Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.”

The China-nexus group exploited the bug to move laterally, maintain persistence, and deploy malware such as SLAYSTYLE, BRICKSTORM, and a new C# backdoor, GRIMBOLT. Researchers observed advanced tactics, including stealthy VMware pivoting via “Ghost NICs” and Single Packet Authorization with iptables. Dell has released patches and mitigation guidance.

During investigations into compromised Dell RecoverPoint appliances, Mandiant researchers discovered that attackers replaced BRICKSTORM with a new C# backdoor, GRIMBOLT, in September 2025. GRIMBOLT is compiled using Native AOT and packed with UPX. The malware provides remote shell access and reuses BRICKSTORM’s command-and-control channels.

The attackers ensured persistence by modifying a legitimate startup script so the backdoor runs automatically at boot.

While investigating compromised Dell RecoverPoint systems, Mandiant uncovered CVE-2026-22769 after spotting Tomcat Manager access using hardcoded admin credentials. Attackers uploaded a malicious WAR file containing the SLAYSTYLE web shell, gaining root command execution as early as mid-2024. The group also expanded into VMware environments, creating “Ghost NICs” for stealthy lateral movement and using iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA urges federal agencies to fix the Dell RecoverPoint flaw by the end of this week, on February 21, while ordering the agencies to address the GitLab issue by March 11, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

A suspected Chinese state-linked group exploited a critical Dell RecoverPoint flaw (CVE-2026-22769) in zero-day attacks starting mid-2024.

Mandiant and Google’s Threat Intelligence Group (GTIG) reported that a suspected China-linked APT group quietly exploited a critical zero-day flaw in Dell RecoverPoint for Virtual Machines starting in mid-2024.

“Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0.” reads the report published by Google. “Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.”

The vulnerability, tracked as CVE-2026-22769, involves hardcoded credentials and was abused to gain access to VMware backup systems.

“Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.” reads the advisory published by Dell.”Dell has received a report from Google/Mandiant of limited active exploitation of this vulnerability. Dell strongly recommends that customers apply one of the remediations below to address this vulnerability as soon as possible.”

The China-nexus group exploited the bug to move laterally, maintain persistence, and deploy malware such as SLAYSTYLE, BRICKSTORM, and a new C# backdoor, GRIMBOLT. Researchers observed advanced tactics, including stealthy VMware pivoting via “Ghost NICs” and Single Packet Authorization with iptables. Dell has released patches and mitigation guidance.

During investigations into compromised Dell RecoverPoint appliances, Mandiant researchers discovered that attackers replaced BRICKSTORM with a new C# backdoor, GRIMBOLT, in September 2025. GRIMBOLT is compiled using Native AOT and packed with UPX. The malware provides remote shell access and reuses BRICKSTORM’s command-and-control channels.

“It provides a remote shell capability and uses the same command and control as previously deployed BRICKSTORM payload.” continues the report. “It’s unclear if the threat actor’s replacement of BRICKSTORM with GRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners.”

The attackers ensured persistence by modifying a legitimate startup script so the backdoor runs automatically at boot.

While investigating compromised Dell RecoverPoint systems, Mandiant uncovered CVE-2026-22769 after spotting Tomcat Manager access using hardcoded admin credentials. Attackers uploaded a malicious WAR file containing the SLAYSTYLE web shell, gaining root command execution as early as mid-2024. The group also expanded into VMware environments, creating “Ghost NICs” for stealthy lateral movement and using iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances.

Google released Indicators of Compromise (IOCs) and Yara rules for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dell RecoverPoint)