A serious zero-day vulnerability affecting Dell’s RecoverPoint for Virtual Machines has been actively exploited since mid-2024 by suspected Chinese hackers. This vulnerability, identified as CVE-2026-22769, has been rated with the highest possible CVSSv3.1 score of 10.0, indicating its critical nature.
Exploitation by UNC6201 Threat Group
Cybersecurity experts from Mandiant and Google’s Threat Intelligence Group attribute these attacks to the UNC6201 threat cluster, which is believed to have ties to China. This group is known for its overlap with Silk Typhoon, another notorious hacking group. The attackers have used this Dell vulnerability to infiltrate networks, maintain access, and deploy various malware types, including SLAYSTYLE, BRICKSTORM, and a new backdoor named GRIMBOLT.
Although the initial method of access remains unknown, UNC6201 has a history of targeting network edge devices like VPN concentrators to gain entry. This tactic allows them to establish a foothold in targeted environments.
Technical Details of the Vulnerability
The root of this vulnerability lies in the Dell RecoverPoint’s configuration, particularly the Apache Tomcat Manager, which contains hardcoded admin credentials. These credentials, found in the /home/kos/tomcat9/tomcat-users.xml file, permit remote attackers to access the system without authentication. Once inside, attackers can exploit the /manager/text/deploy endpoint to upload malicious files, including the SLAYSTYLE web shell, which provides root-level command execution.
The evolution of this campaign includes transitioning from BRICKSTORM to GRIMBOLT, a more advanced malware. Unlike typical .NET malware, GRIMBOLT is written in C# and compiled using Native Ahead-of-Time compilation, enhancing its stealth and efficiency in constrained environments.
Mitigation and Future Implications
Dell has issued urgent guidance for customers using affected versions of RecoverPoint. Users are advised to upgrade to secure versions or apply the provided remediation scripts to mitigate the risk. The affected versions include RecoverPoint for Virtual Machines 5.3 SP4 P1 and 6.0 through 6.0 SP3 P1.
Beyond immediate mitigation, this incident underscores the need for robust security practices to defend against sophisticated adversaries. As attackers continually evolve their techniques, organizations must remain vigilant and proactive in their cybersecurity efforts.
For ongoing updates and expert insights, follow our cybersecurity news on Google News, LinkedIn, and X. Reach out to us if you have stories to share or need expert analysis on cybersecurity matters.
