Dell RecoverPoint for VMs Vulnerability Exploited by China-Linked UNC6201 Since Mid-2024
Critical Vulnerability in Dell RecoverPoint for Virtual Machines Exploited by China-Linked Threat Actor
A critical vulnerability in Dell RecoverPoint for Virtual Machines has been exploited by China-linked threat actor UNC6201 since mid-2024. The bug, tracked as CVE-2026-22769, carries a maximum severity rating of 10.0 on the CVSS scale.
Exploitation and Malware Deployment
According to the Google Threat Intelligence Group (GTIG), UNC6201 leveraged the vulnerability to deploy a new version of the Brickstorm backdoor malware, now referred to as Grimbolt.
The use of ghost NICs also complicates investigations, as they can be deleted, leaving behind only suspicious network activity from IP addresses that no longer exist.
Vulnerability Details
The vulnerability exploited by UNC6201 involves a hardcoded administrator password in Apache Tomcat, which is used by the Dell backup gear.
The vulnerability is particularly concerning due to its potential for long-term access and the fact that it operates with elevated privileges.
Recommendations and Consequences
Dell has released patches for the vulnerability, which security experts urge organizations to apply immediately.
The patches address the hardcoded credential issue and prevent exploitation by UNC6201.
Organizations should also ensure that RecoverPoint is deployed only within trusted, segmented internal networks.
The targeting of backup and disaster recovery platforms like Dell RecoverPoint reflects a deliberate and knowledgeable approach by threat actors.
Access to this layer can provide deep visibility into infrastructure architecture and replicated data sets, making it a high-value target.
The exploitation of this vulnerability highlights the risks associated with hardcoded credentials in infrastructure software.
When these secrets exist in systems designed to protect an organization’s most critical recovery capabilities, they can create significant risk.
Security teams must treat backup infrastructure as Tier 0 assets and apply patches immediately to prevent compromise.
Conclusion
The use of ghost NICs and stealthy backdoors like Grimbolt and Brickstorm amplifies the danger posed by UNC6201.
This “low-and-slow” approach ensures that even if a primary breach is detected, what an organization believes is a “known good” backup may already be compromised.
Security teams must treat backup infrastructure as Tier 0 assets and apply patches immediately to prevent catastrophic attacks.
Backup and recovery tools like Dell RecoverPoint are attractive targets for attackers because they store important data from multiple systems in one place.
Attackers who gain access to these systems can delete company backups, encrypt them, or steal data.
This can have devastating consequences for organizations, including prolonged intrusion dwell times and significant financial losses.
Response and Recommendations
In response to this vulnerability, organizations should immediately apply Dell’s remediation, tightly restrict access to recovery appliances, and validate backup integrity.
This is a Tier 0 incident that requires immediate attention to prevent compromise and ensure the ability to recover from ransomware or destructive attacks.
About Author
English