Dell RecoverPoint for VMs zero-day CVE-2026-22769, exploited by China-linked UNC6201 since mid-2024, allows unauthenticated remote access via hardcoded credentials, enabling deployment of BRICKSTORM and GRIMBOLT backdoors.
A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been actively exploited by a suspected China-nexus threat cluster since mid-2024, according to a joint report from Google Mandiant and Google Threat Intelligence Group (GTIG). The vulnerability, tracked as CVE-2026-22769 with a CVSS score of 10.0, involves hardcoded credentials that allow unauthenticated remote attackers to gain root-level access to affected systems.
The Vulnerability and Its Impact
The flaw affects Dell RecoverPoint for VMs versions prior to 6.0.3.1 HF1, specifically versions 5.3 SP4 P1, 6.0 through 6.0 SP3 P1, and earlier 5.3 SP releases. Dell has confirmed that RecoverPoint Classic products are not vulnerable to this issue.
"This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence," Dell stated in their security bulletin.
Exploitation Chain and Malware Deployment
The exploitation involves leveraging the hardcoded "admin" credential for the Apache Tomcat Manager instance. Attackers authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance.
This process enables the deployment of the BRICKSTORM backdoor and its newer variant, GRIMBOLT. According to Mandiant's Charles Carmakal, "This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer."
Attack Infrastructure and Persistence
Google's analysis reveals that the threat actor, tracked as UNC6201, has targeted organizations across North America. The group employs sophisticated techniques to maintain persistence and evade detection:
- Ghost NICs: Temporary virtual network interfaces used to pivot from compromised virtual machines into internal or SaaS environments
- Forensic obfuscation: Deletion of these NICs after use to cover tracks and impede investigation
- EDR evasion: Targeting appliances that typically lack traditional endpoint detection and response agents
Malware Evolution
The threat actor has demonstrated continuous improvement in their tooling. In September 2025, UNC6201 replaced old BRICKSTORM binaries with GRIMBOLT, which incorporates enhanced features for better evasion:
- Improved blending with system's native files
- Remote shell capability
- Same command-and-control infrastructure as BRICKSTORM
- AOT compilation making reverse engineering more difficult
Network Manipulation Techniques
Analysis of compromised VMware vCenter appliances has uncovered sophisticated iptables command usage through the web shell:
- Monitoring incoming traffic on port 443 for specific HEX strings
- Adding source IP addresses to an approved list
- Silently redirecting subsequent traffic to port 443 to port 10443 for five minutes if the IP is on the approved list
- Accepting connections from approved IPs on port 10443
Attribution and Related Activity
UNC6201 shares tactical overlaps with UNC5221, another China-nexus espionage cluster known for exploiting virtualization technologies and Ivanti zero-day vulnerabilities. Both groups distribute similar malware families including BEEFLUSH, BRICKSTORM, and ZIPLINE, though they are assessed as distinct clusters at this stage.
CrowdStrike has also linked BRICKSTORM usage to a third China-aligned adversary tracked as Warp Panda in attacks against U.S. entities.
Mitigation and Recommendations
Dell has released specific remediation guidance:
For RecoverPoint for VMs 5.3 SP4 P1: Migrate to 6.0 SP3, then upgrade to 6.0.3.1 HF1
For versions 6.0 through 6.0 SP3 P1: Upgrade directly to 6.0.3.1 HF1
For versions 5.3 SP4 and earlier: Upgrade to 5.3 SP4 P1 or a 6.x version, then apply necessary remediation
Dell emphasizes that RecoverPoint for VMs should be deployed within trusted, access-controlled internal networks protected by appropriate firewalls and network segmentation, and is not intended for use on untrusted or public networks.
Broader Context: China-Nexus Threat Activity
The disclosure comes amid broader concerns about Chinese state-sponsored cyber operations. Dragos recently warned of attacks by Chinese groups like Volt Typhoon targeting Sierra Wireless Airlink gateways in critical infrastructure sectors, including electric and oil and gas.
These attacks demonstrate a concerning trend of moving beyond data exfiltration to direct manipulation of engineering workstations, potentially enabling physical consequences in operational technology environments.
As Carmakal noted, "Nation-state threat actors continue targeting systems that don't commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times."
The active exploitation of CVE-2026-22769 underscores the critical importance of timely patching, network segmentation, and monitoring for unusual network interface activity in virtualized environments.
Comments
Please log in or register to join the discussion