UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported active zero-day exploitation of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, CVE-2026-22769 (CVSS 10.0), attributed to UNC6201, a suspected PRC-nexus threat cluster. The flaw is described as a hardcoded-credential issue affecting versions prior to 6.0.3.1 HF1, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish root-level persistence; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory.
Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor, GRIMBOLT. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating “Ghost NICs” on VMware ESXi for stealthy network movement and using iptables for Single Packet Authorization (SPA); initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Timeline
Feb 18, 2026
CISA orders U.S. federal agencies to patch Dell bug
After confirming exploitation, CISA ordered U.S. federal civilian agencies to remediate CVE-2026-22769 by Saturday. The directive highlighted the urgency because RecoverPoint for Virtual Machines operates with elevated privileges and deep access to virtualized infrastructure.
Feb 18, 2026
Canadian Centre for Cyber Security urges patching
The Canadian Centre for Cyber Security issued advisory AV26-138 referencing Dell's February 17 security update and warning that CVE-2026-22769 was being actively exploited in the wild. It urged administrators to review Dell's advisory and apply the necessary updates.
Feb 18, 2026
Detection guidance and IOCs for the campaign are released
Public reporting on the campaign included indicators of compromise, YARA rules, file paths, hashes, and other technical details to help defenders identify BRICKSTORM and GRIMBOLT activity. Researchers warned that prior BRICKSTORM victims should also hunt for the newer GRIMBOLT backdoor.
Feb 18, 2026
Mandiant and GTIG publish attribution and technical findings
Google Threat Intelligence Group and Mandiant publicly reported that UNC6201 had exploited the Dell zero-day since mid-2024 and linked the activity to broader PRC-nexus operations with overlap to UNC5221. Their reporting detailed malware used in the campaign, persistence methods, and VMware-focused tradecraft including Ghost NICs.
Feb 17, 2026
CVE-2026-22769 is publicly cataloged as a critical flaw
Public vulnerability records described CVE-2026-22769 as a CVSS 10.0 hardcoded credential issue affecting Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. The record noted that unauthenticated attackers who know the credential could gain OS access and establish root persistence.
Feb 17, 2026
Dell discloses and patches CVE-2026-22769
Dell published advisory DSA-2026-079 for CVE-2026-22769, a critical hardcoded-credential vulnerability in RecoverPoint for Virtual Machines, and released fixed versions including 6.0.3.1 HF1. Dell said the issue had seen limited active exploitation and urged customers to upgrade or apply mitigations immediately.
Sep 1, 2025
UNC6201 replaces BRICKSTORM with GRIMBOLT
By September 2025, investigators observed UNC6201 replacing older BRICKSTORM implants with a newer C# backdoor called GRIMBOLT. GRIMBOLT reused some BRICKSTORM command-and-control infrastructure while aiming to be harder to detect and reverse engineer.
Jun 15, 2024
Attackers use SLAYSTYLE and BRICKSTORM after initial compromise
Following exploitation, UNC6201 used Tomcat Manager access to upload a malicious WAR file containing the SLAYSTYLE web shell and deployed BRICKSTORM to maintain access in victim environments. The campaign also involved persistence changes to legitimate boot-time scripts and stealthy VMware pivoting techniques such as temporary 'Ghost NICs'.
Jun 15, 2024
UNC6201 begins exploiting Dell RecoverPoint zero-day
Mandiant and Google assessed that the China-linked cluster UNC6201 started exploiting the Dell RecoverPoint for Virtual Machines flaw later assigned CVE-2026-22769 as a zero-day since at least mid-2024. The bug allowed unauthenticated access via a hardcoded credential and enabled root-level persistence on affected appliances.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like the hacker news, thecyberexpress com vulnerabilities, runzero blog, cyber security news and mandiant threat intelligence
Related Stories
UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
**Mandiant/Google Threat Intelligence Group (GTIG)** reported active exploitation of a **Dell RecoverPoint for Virtual Machines (RP4VM)** zero-day, **CVE-2026-22769** (rated **CVSS 10.0**), attributed to suspected PRC-nexus activity tracked as **UNC6201**. The flaw is described as a **hardcoded credential** condition that can enable **unauthenticated remote access**, **OS-level control**, and **root-level persistence**, with follow-on activity aimed at persistence and lateral movement into **VMware** environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via **CISA’s Known Exploited Vulnerabilities (KEV)** signaling referenced through NVD enrichment. The incident underscores elevated risk when adversaries compromise **backup and recovery infrastructure**, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including **BRICKSTORM** and **GRIMBOLT** (and related mentions of **SLAYSTYLE**) in post-compromise operations, while noting that the **initial access vector was not definitively confirmed** beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
1 months ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
1 months ago
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago