CISA mandates emergency patching of an actively exploited Dell flaw involving hardcoded credentials in RecoverPoint software, with espionage groups already leveraging the vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring all federal agencies to patch a critical vulnerability in Dell's RecoverPoint for Virtual Machines software within 72 hours. Tracked as CVE-2026-22769, this maximum-severity flaw involves hardcoded credentials that grant attackers unauthorized access to systems, and has been actively weaponized by suspected state-sponsored threat actors since mid-2024.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on February 18, 2026, setting a remediation deadline of February 21 for civilian federal agencies. The unusually short timeframe reflects intelligence confirming active exploitation in ongoing espionage operations.
According to Dell's security advisory, attackers can exploit these embedded credentials to bypass authentication mechanisms in RecoverPoint management interfaces. This virtualization disaster recovery product manages data replication across VMware environments, meaning compromised credentials could allow threat actors to access sensitive backups and manipulate recovery processes.
Google's Mandiant threat intelligence team has documented extensive exploitation by a group tracked as UNC6201, which deployed multiple malware families including Brickstorm backdoors and the Grimbolt implant. Attackers created 'ghost NICs' (virtual network interfaces) to evade detection while moving laterally across networks. Mandiant's analysis links these tactics to Silk Typhoon, a Chinese state-backed group known for targeting government systems.
For federal agencies, the directive carries legal weight under Binding Operational Directive 22-01, which requires remediation of KEV-listed vulnerabilities within strict timeframes. Private sector organizations using Dell RecoverPoint face immediate operational risks: compromised systems could lead to data exfiltration, ransomware deployment, or sabotage of disaster recovery capabilities. Dell confirmed 'limited active exploitation' prior to patching and urges all customers to install updates immediately.
The three-day deadline demonstrates CISA's increasingly aggressive stance on vulnerability management. This follows similar emergency orders, including last week's mandate for BeyondTrust Remote Support patches. Failure to comply leaves organizations vulnerable to sophisticated attacks that could bypass traditional security controls due to the hardcoded nature of the credentials.
Security teams should prioritize:
- Immediate application of Dell's RecoverPoint 5.3.1.1 patch
- Network segmentation of RecoverPoint management interfaces
- Credential rotation for all associated service accounts
- Hunting for indicators like unexpected NIC configurations or connections to known malicious IPs
With espionage groups actively weaponizing this vulnerability, timely patching isn't merely administrative compliance—it's a critical defense against persistent threats targeting government and enterprise infrastructure.
Comments
Please log in or register to join the discussion