UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
Mandiant/Google Threat Intelligence Group (GTIG) reported active exploitation of a Dell RecoverPoint for Virtual Machines (RP4VM) zero-day, CVE-2026-22769 (rated CVSS 10.0), attributed to suspected PRC-nexus activity tracked as UNC6201. The flaw is described as a hardcoded credential condition that can enable unauthenticated remote access, OS-level control, and root-level persistence, with follow-on activity aimed at persistence and lateral movement into VMware environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via CISA’s Known Exploited Vulnerabilities (KEV) signaling referenced through NVD enrichment.
The incident underscores elevated risk when adversaries compromise backup and recovery infrastructure, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including BRICKSTORM and GRIMBOLT (and related mentions of SLAYSTYLE) in post-compromise operations, while noting that the initial access vector was not definitively confirmed beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
Timeline
Feb 24, 2026
Dell publishes remediation guidance for affected RP4VM versions
Dell identified affected RecoverPoint for Virtual Machines versions and advised customers to upgrade to 6.0.3.1 HF1 and/or apply a remediation script. The company rated the hardcoded-credential flaw Critical with a CVSS score of 10.0 because it could enable unauthenticated remote access and root-level persistence.
Feb 24, 2026
CISA/NVD flag CVE-2026-22769 as actively exploited
The NVD record for CVE-2026-22769 was reported to reference a CISA Known Exploited Vulnerabilities catalog entry through CISA-ADP enrichment, signaling active exploitation concerns. This marked the Dell RecoverPoint RP4VM flaw as an exploited vulnerability requiring urgent attention.
Feb 24, 2026
UNC6201 exploits Dell RecoverPoint RP4VM zero-day in intrusions
Mandiant and Google Threat Intelligence Group reported that suspected PRC-linked cluster UNC6201 exploited a Dell RecoverPoint for Virtual Machines zero-day, CVE-2026-22769, during operations. The activity included persistence, lateral movement into VMware environments, and use of malware families including SLAYSTYLE, BRICKSTORM, and GRIMBOLT.
Feb 22, 2026
Security Affairs roundup highlights Dell RP4VM zero-day exploitation
Security Affairs included reporting on the UNC6201 exploitation of the Dell RecoverPoint for Virtual Machines zero-day in its Malware Newsletter Round 85. The mention reflected broader public dissemination of the incident within malware and threat-intelligence coverage.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Affected Products
Sources
Related Stories
UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported **active zero-day exploitation** of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, **CVE-2026-22769** (CVSS 10.0), attributed to **UNC6201**, a suspected PRC-nexus threat cluster. The flaw is described as a **hardcoded-credential issue** affecting versions prior to `6.0.3.1 HF1`, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish **root-level persistence**; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory. Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including **SLAYSTYLE**, **BRICKSTORM**, and a newly identified backdoor, **GRIMBOLT**. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating **“Ghost NICs”** on VMware ESXi for stealthy network movement and using `iptables` for **Single Packet Authorization (SPA)**; initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
1 months ago
Dell PowerProtect Data Domain Flaws Expose Systems to Unauthorized Access and Root RCE
Dell disclosed two high-severity vulnerabilities in **PowerProtect Data Domain** appliances running multiple **DD OS** releases, including a weak-credentials flaw tracked as `CVE-2026-23853` and a missing-authentication issue tracked as `CVE-2026-26944`. The weak-credentials vulnerability affects Feature Release versions **7.7.1.0 through 8.5**, **LTS2025 8.3.1.0 through 8.3.1.20**, and **LTS2024 7.13.1.0 through 7.13.1.50**, and could allow an unauthenticated attacker with local access to gain unauthorized access to the system. The issue is classified as **CWE-1391** and carries a **CVSS v3.1** score vector of `AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. Dell also reported `CVE-2026-26944`, a **missing authentication for critical function** flaw classified as **CWE-306**, which could allow an unauthenticated remote attacker to execute arbitrary commands with **root privileges** if an authenticated user performs a specific action. That vulnerability is rated with the **CVSS v3.1** vector `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`. Both issues were referenced in Dell security guidance, including advisory **`DSA-2026-060`**, and affect backup infrastructure that may be critical to recovery operations, making remediation and version review a priority for defenders.
1 weeks ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
1 months ago