Dell RecoverPoint for VMs Zero-Day Vulnerability CVE-2026-22769 Exploited Since Mid-2024

Critical Vulnerability in Dell’s RecoverPoint for Virtual Machines Actively Exploited by China-Linked Threat Group

A critical vulnerability in Dell’s RecoverPoint for Virtual Machines has been actively exploited by a suspected China-linked threat group since mid-2024. The flaw, tracked as CVE-2026-22769, carries a maximum severity rating and affects versions prior to 6.0.3.1 HF1.

Vulnerability Details

According to a joint report from Google Mandiant and the Google Threat Intelligence Group, the vulnerability involves hard-coded credentials in the Apache Tomcat Manager instance. This allows an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and achieve root-level persistence.

The issue affects several versions of RecoverPoint for Virtual Machines, including 5.3 SP4 P1, 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1. Dell recommends upgrading to version 6.0.3.1 HF1 to remediate the vulnerability.

Threat Group and Tactics

Google’s analysis reveals that the threat group, dubbed UNC6201, has exploited the vulnerability to upload a web shell named SLAYSTYLE via the “/manager/text/deploy” endpoint. This enables the attackers to execute commands as root on the appliance and deploy the BRICKSTORM backdoor, as well as its newer version, GRIMBOLT.

UNC6201’s tactics, techniques, and procedures (TTPs) show overlaps with another China-linked espionage cluster, UNC5221. However, the two groups are currently assessed to be distinct. Notably, the use of BRICKSTORM has also been linked to a third China-aligned adversary, Warp Panda.

Attack Vectors and Targets

The attackers have been observed using temporary virtual network interfaces, referred to as “Ghost NICs,” to pivot from compromised virtual machines into internal or SaaS environments. They then delete these NICs to cover their tracks and impede investigation efforts.

The threat group has targeted organizations across North America, with GRIMBOLT incorporating features to better evade detection and minimize forensic traces on infected hosts. Google notes that the use of BRICKSTORM and GRIMBOLT allows the attackers to remain undetected for extended periods, as the targeted appliances often lack traditional endpoint detection and response (EDR) agents.

The initial access vector used by UNC6201 remains unclear, but the group is known to target edge appliances to break into target networks. An analysis of compromised VMware vCenter appliances has revealed the execution of iptable commands via a web shell to perform specific actions, including monitoring incoming traffic and silently redirecting it to a different port.

In September 2025, the threat actors replaced old BRICKSTORM binaries with GRIMBOLT, although the reason for this shift is unknown. GRIMBOLT provides a remote shell capability and uses the same C2 infrastructure as BRICKSTORM, but its use of AOT compilation makes it harder to detect.

Nation-State Threat Actors

Nation-state threat actors continue to target systems that don’t commonly support EDR solutions, making it challenging for victim organizations to detect compromises and prolonging intrusion dwell times.