CISA Orders Federal Agencies to Patch Critical Dell Vulnerability Within 72 Hours

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch a critical vulnerability in Dell's RecoverPoint systems within 72 hours, responding to confirmed exploitation by a sophisticated Chinese threat actor. Tracked as CVE-2026-22769, this maximum-severity flaw involves hardcoded credentials in Dell's RecoverPoint appliance, which organizations use for VMware virtual machine backup and recovery operations.

Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) confirmed the vulnerability has been actively exploited since mid-2024 by UNC6201, a suspected Chinese state-backed group. After initial access, attackers deploy multiple payloads including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor called GRIMBOLT. According to Mandiant's analysis, GRIMBOLT employs advanced compilation techniques that significantly complicate reverse engineering compared to its predecessor BRICKSTORM.

UNC6201 switched from BRICKSTORM to GRIMBOLT in September 2025. Researchers note this could represent either a planned capability upgrade or a direct response to defensive actions by Mandiant and industry partners. GTIG also identified operational overlaps between UNC6201 and Silk Typhoon (UNC5221), another Chinese cyberespionage group known for exploiting Ivanti zero-days against U.S. government targets including the Treasury Department and Committee on Foreign Investment.

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog on February 18, 2026, invoking Binding Operational Directive 22-01 to compel Federal Civilian Executive Branch agencies to implement patches by February 21. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA stated in its advisory.

Practical mitigation guidance:

1. Federal agencies must immediately apply Dell's security update for RecoverPoint appliances
2. Organizations should audit all RecoverPoint instances for signs of compromise, focusing on unexpected processes and network connections
3. If patching isn't feasible, CISA recommends discontinuing product use or implementing strict network segmentation
4. Security teams should review Mandiant's published indicators of compromise for GRIMBOLT and related malware
5. Multi-factor authentication should be enforced on all administrative interfaces

This directive follows CISA's recent three-day patching deadline for a BeyondTrust Remote Support vulnerability (CVE-2026-1731), reflecting an accelerated response framework for high-risk flaws. Private sector organizations using Dell RecoverPoint should treat this with equal urgency given the confirmed exploitation timeline and malware deployment patterns.