Dell RecoverPoint Vulnerability Exploited by China-Linked Hackers to Spread GrimBolt Malware
A Critical Vulnerability in Dell RecoverPoint Software Exploited by China-Linked Hackers
A severe security flaw in Dell’s RecoverPoint software has been identified, allowing hackers linked to China to gain unauthorized access to sensitive data.
The Vulnerability
The vulnerability, tracked as CVE-2026-22769, involves hardcoded credentials that provide administrative access to the software’s management system.
Exploitation by Hackers
According to researchers from Google’s Threat Intelligence Group (GTIG) and Mandiant, the hackers, known as UNC6201, have been exploiting this weakness since mid-2024.
The attackers use the hardcoded credentials to log in to the system and execute commands with elevated privileges, enabling them to move freely within the network and install malicious software.
The hackers have been using a custom-made malware tool called BrickStorm, but in September 2025, they began transitioning to a more advanced malware strain named GrimBolt.
GrimBolt is designed to be highly evasive and difficult for security teams to analyze. It acts as a backdoor, allowing the attackers to re-enter the system undetected.
Tactics Used by Hackers
In one instance, the hackers employed a technique called Ghost NICs, creating temporary virtual network ports to navigate the network without leaving a trace.
They also modified the software’s startup scripts to ensure the malware remains active indefinitely.
Mitigation and Recommendations
The vulnerability is considered critical, with a risk score of 10.0. Dell has released a security advisory (DSA-2026-079) urging users to update their software immediately.
To mitigate the issue, users should update to version 6.0.3.1 HF1 or newer.
If an immediate update is not possible, users should run a security script provided by Dell and ensure the software is isolated within a protected internal network.
Industry Concerns
Industry experts have expressed concern over the strategic nature of these attacks, noting that the hackers are deliberately targeting the backup and replication control plane.
This allows them to influence the data restoration process, potentially compromising the integrity of the data.
Prevention and Best Practices
The use of hardcoded credentials is often attributed to human error during the software development process.
Developers may use hardcoded credentials to expedite testing, but fail to remove them before release.
This oversight can have severe consequences, as demonstrated by the Dell RecoverPoint vulnerability.
In light of this incident, organizations should prioritize the use of secure coding practices and rigorous testing to prevent similar vulnerabilities.
Regular security audits and updates are also essential to preventing exploitation by sophisticated threat actors.
About Author
English