editorially independent. We may make money when you click on links
to our partners.
Learn More
A zero-day vulnerability in Dell RecoverPoint for Virtual Machines is being actively exploited to deploy backdoors and pivot deeper into enterprise networks.
The flaw has reportedly been abused since at least mid-2024 by a suspected China-linked threat cluster.
“Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual infrastructure,” said researchers in the advisory.
Inside the Dell RecoverPoint Zero-Day
RecoverPoint for Virtual Machines is widely deployed in enterprise environments to deliver data protection and disaster recovery capabilities across VMware infrastructure.
Because it integrates directly with virtualized workloads and management systems, compromise of this appliance can provide attackers with privileged access and a strategic foothold inside the environment.
How CVE-2026-22769 Works
The vulnerability, tracked as CVE-2026-22769, carries a CVSS score of 10.0, reflecting the severity of unauthenticated remote access and the potential for full system compromise.
It stems from hardcoded default administrator credentials embedded within the Apache Tomcat Manager configuration on the RecoverPoint appliance.
Researchers identified these credentials in the /home/kos/tomcat9/tomcat-users.xml file.
By leveraging these built-in credentials, a remote attacker could authenticate to the Tomcat Manager interface without prior access.
Once authenticated, the /manager/text/deploy endpoint could be abused to upload a malicious Web Application Archive (WAR) file.
In observed intrusions, this technique was used to deploy the SLAYSTYLE web shell, enabling root-level command execution on the appliance.
Active Exploitation by UNC6201
Mandiant researchers determined that UNC6201, a suspected PRC-nexus threat cluster, has exploited CVE-2026-22769 since at least mid-2024.
The group used the vulnerability to move laterally within victim environments, establish persistence, and deploy multiple malware families, including SLAYSTYLE, BRICKSTORM, and a newer backdoor known as GRIMBOLT.
While the initial access vector remains unconfirmed, UNC6201 has historically targeted edge appliances such as VPN concentrators to gain an initial foothold.
Malware Evolution and Persistence
In September 2025, the researchers observed the threat actor replacing legacy BRICKSTORM payloads with GRIMBOLT, signaling an evolution in tooling.
GRIMBOLT is written in C# and compiled using Native Ahead-of-Time (AOT) compilation, which converts code directly into machine-native instructions and removes Common Intermediate Language (CIL) metadata typically examined during static analysis.
The malware is also packed with UPX and provides remote shell capabilities while leveraging previously established command-and-control (C2) infrastructure.
To maintain persistence, UNC6201 modified a legitimate startup script — convert_hosts.sh — ensuring the backdoor executed automatically at boot through rc.local.
Beyond appliance-level compromise, Mandiant observed advanced pivot techniques within VMware environments.
These included the creation of temporary “Ghost NICs” on ESXi virtual machines to enable stealthy network movement, as well as the use of iptables-based Single Packet Authorization (SPA) to conceal C2 traffic.
Hardening RecoverPoint for Virtual Machines
Organizations running Dell RecoverPoint for Virtual Machines should apply updates and evaluate their environments for signs of compromise.
Security teams should also consider the possibility that credentials may have been exposed and take appropriate precautionary steps.
- Patch to the latest version and immediately rotate all appliance and related service account credentials.
- Restrict or disable Apache Tomcat Manager access by limiting it to trusted IP ranges, enforcing firewall rules, and segmenting management interfaces from production networks.
- Conduct a full compromise assessment by reviewing Tomcat logs, deployed WAR files, Systemd journals, and modifications to convert_hosts.sh for signs of persistence.
- Monitor VMware infrastructure for suspicious activity, including new or temporary virtual NIC creation, unusual vCenter API calls, and unexpected iptables modifications.
- Implement strict network egress filtering and DNS monitoring to detect or block command-and-control communications from affected appliances.
- Treat RecoverPoint appliances as high-value assets by applying zero-trust principles, enforcing MFA for administrative access, and using jump hosts for privileged management.
- Regularly test incident response plans and build playbooks for appliance compromise scenarios.
These measures can help limit the blast radius of a compromised appliance while strengthening long-term resilience across virtual infrastructure environments.
Infrastructure Appliances Are Prime Targets
The exploitation of CVE-2026-22769 highlights the continued targeting of infrastructure and recovery platforms within enterprise environments.
Appliances that support backup and virtualization typically have elevated privileges and broad network visibility, which can make them useful entry points if compromised.
The transition from BRICKSTORM to GRIMBOLT also reflects an effort by this threat actor to refine tooling for improved evasion and performance in enterprise settings.
These types of risks are driving organizations to adopt zero-trust solutions that limit implicit trust and reduce the impact of compromised infrastructure components.
