A critical security flaw in Dell’s RecoverPoint for Virtual Machines has been actively exploited by a cyberespionage group with ties to China, according to a joint report from Google’s Threat Intelligence Group (GTIG) and Mandiant. The vulnerability, identified as CVE-2026-22769, has been targeted since at least mid-2024 and poses significant risks to data protection and disaster recovery solutions.
Details of the Exploitation
GTIG and Mandiant have linked the exploitation of this vulnerability to a threat actor known as UNC6201. This group has utilized the flaw to facilitate lateral movement, establish persistence, and deploy malware within compromised systems. Dell’s RecoverPoint for Virtual Machines, an integral part of the company’s data protection suite, is designed to provide resilience and disaster recovery for VMware virtual machines.
Dell has issued an advisory addressing CVE-2026-22769, describing it as a hardcoded credential vulnerability affecting RecoverPoint versions prior to 6.0.3.1 HF1. Users are urged to update to the latest version to mitigate the risk of unauthorized access and root-level persistence by remote attackers.
Emergence of UNC6201 and Their Tools
This marks the first public identification of UNC6201, although Google notes its connections to another China-linked advanced persistent threat (APT) group, UNC5221. The latter is notorious for its prolonged network intrusions aimed at gathering sensitive information. Previously, UNC5221 employed the BrickStorm malware, which has been reportedly replaced by a new malware variant called GrimBolt in September 2025.
GrimBolt is a sophisticated backdoor, developed in C# and utilizing native ahead-of-time compilation and UPX packing to hinder analysis. This malware grants attackers remote shell access, further complicating detection and remediation efforts.
Technical Insights and Industry Response
Both GrimBolt and its predecessor, BrickStorm, have been deployed on systems running Dell’s RecoverPoint. Although the initial access point remains unconfirmed, edge appliances are suspected to be a potential vector. Additionally, attackers have used a web shell named SlayStyle in these operations.
In an effort to evade detection, UNC6201 has employed tactics such as creating and later removing ‘ghost NICs’ on virtual machines. This stealthy approach complicates forensic investigations and prolongs the dwell time of intrusions. Mandiant’s CTO, Charles Carmakal, highlighted the challenges faced by organizations lacking endpoint detection and response (EDR) capabilities, which can lead to extended exposure to such threats.
GTIG and Mandiant have released indicators of compromise (IoCs) to aid cybersecurity professionals in identifying and mitigating these attacks. This development underscores the ongoing need for vigilance and advanced security measures in the face of evolving cyber threats.
