Dell RecoverPoint zero-day CVE-2026-22769 exploited by China-linked APT since mid-2024
A joint investigation by Google Mandiant and Google’s Threat Intelligence Group (GTIG) revealed that a zero-day vulnerability in Dell RecoverPoint for Virtual Machines had been exploited by a China-linked threat group since mid-2024.
Overview of CVE-2026-22769
The CVSS score is 10.0 (maximum). All versions of Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 are affected.
The issue is hard-coded credentials in Apache Tomcat Manager. An attacker can authenticate to Tomcat Manager using these “admin” credentials and deploy a web shell via the /manager/text/deploy endpoint.
Attack chain
A China-linked espionage group known as UNC6201 built the following attack chain:
- Log in to Tomcat Manager using the hard-coded credentials
- Deploy a web shell named “SLAYSTYLE”
- Execute commands with root privileges
- Drop the “BRICKSTORM” backdoor and, subsequently, its successor “GRIMBOLT”
GRIMBOLT is a backdoor written in C# and built with native AOT (Ahead-of-Time) compilation, which makes reverse engineering more difficult.
Tactics of UNC6201
UNC6201 is a China-linked espionage cluster with tactical overlap with UNC5221, primarily targeting organizations in North America.
Notable is a technique known as “Ghost NICs,” in which they create temporary virtual network interfaces to pivot and erase traces. They characteristically go after appliance devices where conventional EDR agents are not deployed.
Mitigations
- Upgrade Dell RecoverPoint for VMs to version 6.0.3.1 HF1
- Place RecoverPoint inside an internal network with trusted access controls
- Implement appropriate firewalls and network segmentation
It is sobering that a classic flaw—hard-coded credentials—was exploited for a year and a half as a CVSS 10.0 issue. Appliances without EDR support are prime targets for attackers, making defenses at network boundaries essential.