Dell RecoverPoint Vulnerability Exploited by Chinese State-Sponsored Hackers

Post Views: 20

Newly Discovered Zero-Day Vulnerability in Dell’s RecoverPoint for Virtual Machines

A newly discovered zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines has been exploited by a Chinese cyberespionage group since at least mid-2024. The vulnerability, identified as CVE-2026-22769, is a hardcoded credential issue affecting RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1.

Vulnerability Details

According to Dell’s advisory, the vulnerability allows an unauthenticated remote attacker with knowledge of the hardcoded credential to gain unauthorized access to the underlying operating system and achieve root-level persistence. The company has advised users to update their installations to the patched version as soon as possible.

Exploitation by UNC6201

The exploitation of the vulnerability has been attributed to a threat actor tracked as UNC6201, which is believed to be linked to China. The group has used the vulnerability for lateral movement, persistence, and malware deployment. This is the first public mention of UNC6201, but researchers have found links to UNC5221, a known China-nexus APT that has been observed dwelling in compromised networks for extended periods to gather valuable information.

GrimBolt Malware

UNC6201 has been observed using a new piece of malware called GrimBolt, a backdoor developed in C# that provides remote shell capabilities. The malware is compiled using native ahead-of-time (AOT) compilation and packed with UPX, making it more difficult to analyze. GrimBolt has been deployed on systems running Dell RecoverPoint for Virtual Machines, along with another malware called BrickStorm, which was previously used by UNC5221.

Initial Access and Stealthy Tactics

The initial access method used by UNC6201 is still unknown, but researchers believe that edge appliances may be a likely vector. The group has also created “ghost NICs” on virtual machines, which are deleted after use, making the attack more stealthy and difficult to investigate.

Mandiant CTO Charles Carmakal noted that nation-state threat actors continue to target systems that don’t commonly support endpoint detection and response (EDR) solutions, making it challenging for victim organizations to detect compromises and prolonging intrusion dwell times.

Indicators of Compromise and Recommendations

Indicators of compromise (IoCs) have been made available to help defenders detect potential attacks. Researchers have warned that the exploitation of this vulnerability highlights the importance of keeping systems up to date with the latest security patches and monitoring for suspicious activity.