Full Report
A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024, according to a new report from Google Mandiant and Google Threat Intelligence Group (GTIG). The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials
Analysis Summary
# Vulnerability: Dell RecoverPoint for VMs Hard-Coded Credentials (UNC6201 Zero-Day)
## CVE Details
- **CVE ID:** CVE-2026-22769
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- **Products:** Dell RecoverPoint for Virtual Machines (Classic versions are NOT affected).
- **Versions:**
- Versions prior to 6.0.3.1 HF1 (including 6.0, 6.0 SP1/SP2/SP3 series).
- Version 5.3 SP4 P1 and all versions prior (5.3 SP4, SP3, SP2, and earlier).
- **Configurations:** Systems exposed to untrusted or public networks are at highest risk; the flaw impacts the Apache Tomcat Manager instance within the appliance.
## Vulnerability Description
The vulnerability stems from the use of hard-coded credentials for the "admin" user within the Apache Tomcat Manager instance on the RecoverPoint for VMs appliance. An unauthenticated remote attacker with knowledge of these credentials can authenticate to the Tomcat Manager and utilize the `/manager/text/deploy` endpoint. This allows the attacker to upload malicious files (web shells) and execute commands with **root-level** privileges on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild (Zero-day activity by UNC6201 since mid-2024).
- **Complexity:** Low (Credentials are static and hard-coded).
- **Attack Vector:** Network (Unauthenticated remote access).
## Impact
- **Confidentiality:** Total (Root-level access to the VM appliance).
- **Integrity:** Total (Ability to deploy backdoors and manipulate system files).
- **Availability:** Total (Full control over the operating system).
## Remediation
### Patches
Dell has released a fix in version **6.0.3.1 HF1**. Remediation paths depend on current version:
- **For 6.0.x versions:** Upgrade directly to 6.0.3.1 HF1.
- **For 5.3 SP4 P1:** Migrate to 6.0 SP3 first, then upgrade to 6.0.3.1 HF1.
- **For 5.3 SP4 and earlier:** Upgrade to 5.3 SP4 P1 or a 6.x version, then follow the specific remediation path for that version.
### Workarounds
- Ensure RecoverPoint for VMs is deployed strictly within a **trusted, access-controlled internal network**.
- Isolate the appliance using firewalls and network segmentation to prevent exposure to untrusted/public networks.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of a web shell named `SLAYSTYLE`.
- Presence of `BRICKSTORM` or `GRIMBOLT` (C# AOT-compiled) backdoors.
- Identification of "Ghost NICs" (temporary virtual network interfaces) used for lateral movement and then deleted.
- **Detection methods:**
- Monitor for unauthorized access or deployments to the `/manager/text/deploy` endpoint on the appliance.
- Audit `iptables` commands on VMware vCenter appliances and RecoverPoint instances for unusual traffic redirection or exfiltration rules.
- Hunt for native file masquerading (specifically GRIMBOLT, which mimics system files).
## References
- **Dell Advisory:** hxxps[://]www[.]dell[.]com/support/kbdoc/en-us/000426773/dsa-2026-079
- **Google Mandiant Report:** hxxps[://]cloud[.]google[.]com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
- **News Coverage:** hxxps[://]thehackernews[.]com/2026/02/dell-recoverpoint-for-vms-zero-day-cve.html