Maximum Severity: CVSS 10.0
Google's Threat Intelligence Group has disclosed that a maximum-severity vulnerability in Dell RecoverPoint for Virtual Machines has been under active exploitation by a suspected China-nexus threat cluster since mid-2024 — nearly two years before the patch was released.
The flaw, tracked as CVE-2026-22769, is a hardcoded credentials vulnerability that ships with a default Apache Tomcat administrator password, allowing unauthenticated attackers to gain full administrative access.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE | CVE-2026-22769 |
| CVSS Score | 10.0 (Critical) |
| Type | Hardcoded Credentials (CWE-798) |
| Attack Vector | Network — No authentication required |
| Affected | Dell RecoverPoint for VMs < 6.0.3.1 HF1 |
| Fix | Version 6.0.3.1 HF1 |
| Discovered By | Google Threat Intelligence Group |
Attack Chain
The threat cluster UNC6201 used a sophisticated multi-stage attack chain:
1. Scan for internet-exposed Dell RecoverPoint instances
2. Authenticate using hardcoded Tomcat admin credentials
3. Upload SLAYSTYLE web shell via Tomcat manager
4. Deploy BRICKSTORM backdoor for persistent C2 access
5. Upgrade to GRIMBOLT backdoor (C#, native AOT, UPX-packed)
6. Create "Ghost NICs" — temporary virtual network interfaces
7. Pivot into internal networks and SaaS environments
8. Delete Ghost NICs to erase forensic traces
9. Exfiltrate data via encrypted channelsMalware Arsenal
| Malware | Type | Description |
|---|---|---|
| SLAYSTYLE | Web Shell | Initial access persistence via Tomcat |
| BRICKSTORM | Backdoor | First-stage command-and-control implant |
| GRIMBOLT | Backdoor | Evolved C2, compiled with .NET Native AOT, packed with UPX for AV evasion |
Novel "Ghost NIC" Technique
UNC6201 pioneered a technique dubbed "Ghost NICs" — creating temporary virtual network interfaces on compromised RecoverPoint appliances to pivot into internal and SaaS environments, then deleting the interfaces to erase evidence of lateral movement. This technique leaves minimal forensic artifacts and can bypass network monitoring tools that rely on persistent interface tracking.
Threat Actor: UNC6201
| Attribute | Details |
|---|---|
| Designation | UNC6201 |
| Nexus | China |
| Active Since | Mid-2024 (minimum) |
| Known Victims | Fewer than 12 organizations in North America |
| Objective | Long-term espionage and data exfiltration |
Google noted that while fewer than a dozen impacted organizations have been identified, the true scale of compromise is unknown — many organizations may not yet realize they are affected.
Immediate Actions
- Patch immediately — Update to Dell RecoverPoint for VMs version 6.0.3.1 HF1
- Restrict network access to RecoverPoint management interfaces
- Audit Tomcat logs for unauthorized admin sessions dating back to mid-2024
- Search for IOCs — SLAYSTYLE, BRICKSTORM, and GRIMBOLT artifacts
- Monitor for Ghost NIC creation — unusual virtual network interface creation and deletion events
- Engage incident response if any indicators are found
A CVSS 10.0 vulnerability exploited for nearly two years before disclosure is a worst-case scenario for any enterprise product. Organizations running Dell RecoverPoint should treat this as an immediate priority.
Sources
- Google Cloud Blog — UNC6201 Exploiting Dell RecoverPoint Zero-Day
- The Hacker News — Dell RecoverPoint CVE-2026-22769
- SecurityWeek — Dell RecoverPoint Zero-Day Exploited by Chinese Cyberespionage Group
- BleepingComputer — Chinese Hackers Exploiting Dell Zero-Day Since Mid-2024