
Dell has released urgent security updates for RecoverPoint for Virtual Machines (RP4VM) to address a critical hardcoded credential vulnerability that has been actively exploited in targeted attacks.
The flaw, tracked as CVE-2026-22769 and rated 10.0 under CVSS v3.1, allows unauthenticated remote attackers to gain root-level access to affected appliances.
Dell’s advisory was published simultaneously with a Mandiant report, which uncovered the issue during incident response engagements. Dell confirmed it has received reports of limited active exploitation and is urging customers to apply available remediations immediately.
Hardcoded admin credentials exposed Tomcat interface
According to Mandiant and Google’s Threat Intelligence Group (GTIG), the vulnerability stems from hardcoded default credentials for the “admin” account in the Apache Tomcat Manager component bundled with RecoverPoint for Virtual Machines. The credentials were stored in the file /home/kos/tomcat9/tomcat-users.xml.
An attacker aware of these credentials could remotely authenticate to the Tomcat Manager interface and deploy a malicious WAR archive via the /manager/text/deploy endpoint. This would allow command execution as root on the underlying operating system, effectively handing over full control of the appliance and enabling persistent access.
Mandiant found evidence that exploitation of the flaw dates back to at least mid-2024.
RecoverPoint for Virtual Machines is a continuous data protection and replication solution for VMware environments, widely used in enterprise data centers to safeguard business-critical workloads. Because it sits deep within virtual infrastructure, the compromise of the appliance can provide attackers with privileged access and opportunities for lateral movement across virtual machines.
New Chinese backdoor
Mandiant attributes the exploitation to a suspected China-nexus threat cluster tracked as UNC6201. In observed intrusions, the group deployed a SLAYSTYLE web shell through the vulnerable Tomcat interface and installed malware families previously associated with espionage activity.
Most notably, researchers observed the replacement of older BRICKSTORM implants with a newer backdoor dubbed GRIMBOLT in September 2025. GRIMBOLT is a C#-based foothold backdoor compiled using .NET’s native ahead-of-time (AOT) compilation, a technique that improves performance on Linux appliances and makes static analysis more difficult.
The attackers also established persistence by modifying a legitimate boot-time script so the backdoor would execute automatically when the appliance restarted.
In some cases, the activity extended beyond the appliance itself, with the threat actor pivoting into VMware infrastructure to expand access within victim environments.
Action required
CVE-2026-22769 affects RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1, including multiple 5.3 and 6.0 service pack releases. Earlier 5.3 versions may also be impacted.
Dell advises customers to upgrade to version 6.0.3.1 HF1 or to apply the remediation script available in its knowledge base. Systems running 5.3 SP4 P1 must first migrate to 6.0 SP3 before upgrading, or use the remediation script.
Other Dell products, including RecoverPoint Classic appliances, are not affected.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
