Critical Zero-Day Vulnerability Exploited in Dell Technologies’ RecoverPoint

A serious zero-day vulnerability, identified as CVE-2026-22769, has been discovered in Dell Technologies’ RecoverPoint for Virtual Machines. This critical flaw has been assigned a severity rating of 10, the highest possible score. Reports from Mandiant and the Google Threat Intelligence Group (GTIG) indicate that this vulnerability is actively being exploited by a Chinese threat group known as UNC6201.

Understanding Dell RecoverPoint for Virtual Machines

Dell RecoverPoint is a solution focused on backup and disaster recovery specifically designed for VMware virtual environments. Its main purpose is to ensure data integrity and availability. However, the exploitation of CVE-2026-22769 allows attackers to bypass authentication measures, gaining unauthorized access to the underlying systems. This access can facilitate root-level persistence, primarily enabled by hardcoded credentials embedded in the configuration files of the system.

How Attackers Are Leveraging the Vulnerability

Investigations into the vulnerability have shown that UNC6201 has utilized CVE-2026-22769 since at least mid-2024. The issue originates from hardcoded default credentials found within Apache Tomcat Manager configuration files on Dell RecoverPoint appliances. These credentials were discovered in a critical file path: /home/kos/tomcat9/tomcat-users.xml.

By leveraging these credentials, attackers can authenticate into the Tomcat Manager interface, permitting them to deploy malicious WAR files through the /manager/text/deploy endpoint. In several cases, this process has led to the installation of a web shell called SLAYSTYLE, significantly increasing the attackers’ control over compromised systems.

Investigating the Compromises

Logs stored in the directory /home/kos/auditlog/fapi_cl_audit_log.log indicated suspicious requests directed at /manager. Patterns included commands that involved deploying malicious files, which were frequently located in other system directories, such as /var/lib/tomcat9 and /var/cache/tomcat9/Catalina. Security analysts have been reminded to scrutinize Tomcat logs within /var/log/tomcat9/, including key Catalina events to detect further signs of this vulnerability being exploited.

The earliest documented exploitation of CVE-2026-22769 can be traced back to mid-2024.

The Evolution of Malware Used by UNC6201

The cyberattack campaign associated with UNC6201 has shown a marked evolution in malware tactics. Initially, they relied on BRICKSTORM malware, but a shift was observed in September 2025 when older BRICKSTORM binaries were replaced with a new backdoor known as GRIMBOLT.

GRIMBOLT is noteworthy because it’s written in C# and employs a new ahead-of-time (AOT) compilation method. This approach enhances runtime performance and complicates reverse engineering efforts, particularly important for attacks against systems with limited resources like Dell RecoverPoint.

The GRIMBOLT backdoor also comes packaged with UPX, offering web shell capabilities while maintaining the same command-and-control (C2) infrastructure previously associated with BRICKSTORM. Analysts have speculated that the transition to GRIMBOLT may have been either a planned strategy or a reaction to incident response efforts from cybersecurity teams.

Furthermore, attackers established persistence by modifying an existing shell script located at /home/kos/kbox/src/installation/distribution/convert_hosts.sh, ensuring the backdoor executes upon system boot.

Expanding Targets and New Attack Vectors

Beyond the exploitation of CVE-2026-22769, UNC6201 has broadened its scope to target VMware environments more generally. While the exact methods for the initial access vector remain unclear, it is known that they target edge devices, including VPN concentrators.

Mandiant has identified the creation of “Ghost NICs,” which are temporary network interfaces added to virtual machines operating on ESXi servers. These interfaces enable stealthy pivoting into internal and software-as-a-service (SaaS) infrastructures.

Analysts have documented commands executed within compromised vCenter appliances, showcasing how UNC6201 implemented Single Packet Authorization (SPA) for covert access. This involved monitoring specific traffic patterns and redirecting legitimate connections to ensure minimal exposure.

Indicators of Compromise (IoCs)

The ongoing investigation has unveiled several malware samples and network indicators associated with the UNC6201 campaign:

GRIMBOLT Files

• support: SHA256 – 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
• out_elf_2: SHA256 – dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591

SLAYSTYLE Web Shell

• default_jsp.java: SHA256 – 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a

BRICKSTORM Samples

• Various critical SHA256 hashes linked to malicious activity.

Network Indicators

• C2 Endpoint: wss://149.248.11.71/rest/apisession
• C2 IP: 149.248.11.71

Researchers from GTIG have released YARA rules to assist organizations in detecting indicators related to the GRIMBOLT and SLAYSTYLE malware campaigns, emphasizing the critical nature of keeping defenses updated in the face of evolving cybersecurity threats.