Dell RecoverPoint VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024

China-nexus UNC6201 exploited CVE-2026-22769 in Dell RecoverPoint for VMs since mid-2024. The CVSS 10.0 hardcoded credential flaw grants root access to backup appliances. Google Mandiant discovered active intrusions during incident response.

The vulnerability affects versions before 6.0.3.1 HF1. Attackers authenticate as “admin” to Apache Tomcat Manager, upload SLAYSTYLE webshell via “/manager/text/deploy”, and drop BRICKSTORM/GRIMBOLT backdoors for root persistence.

Less than a dozen North American organizations confirmed hit. UNC6201 likely active in unpatched systems. Long dwell times enable espionage. CISA added to KEV catalog requiring federal patch by Feb 21.

RecoverPoint Classic unaffected. Dell mandates internal network deployment behind firewalls. Public exposure unintended.

Mandiant’s Rich Reece warns BRICKSTORM targets should hunt GRIMBOLT. New IOCs/YARA rules published. Actor upgraded to harder-to-reverse AOT-compiled C# backdoor September 2025.

Affected Versions

Multiple RecoverPoint for VMs releases vulnerable.

Version Range	Remediation Path
5.3 SP4 P1	Migrate to 6.0 SP3 → 6.0.3.1 HF1
6.0 – 6.0 SP3 P1	Direct upgrade to 6.0.3.1 HF1
5.3 SP4 & earlier	5.3 SP4 P1 or 6.x + HF1 ​

Attack Chain Breakdown

1. Hardcoded admin credential authenticates to Tomcat Manager
2. SLAYSTYLE webshell deploys via /manager/text/deploy
3. Root command execution drops BRICKSTORM/GRIMBOLT
4. Ghost NICs pivot to internal networks/SaaS
5. Iptables redirection proxies 443→10443 traffic 300 seconds

Ghost NIC technique: Temporary virtual interfaces deleted post-pivot. Evades network forensics.

Iptables rules:

• Monitor port 443 for HEX trigger
• Whitelist source IPs
• Redirect approved 443→10443 traffic

Malware Evolution

Backdoor	Compilation	Evasion	C2 Continuity
BRICKSTORM	Standard C#	Basic blending	Shared infrastructure
GRIMBOLT	Native AOT C#	Native file mimicry	Same C2 servers ​

GRIMBOLT resists reverse engineering. Blends with legitimate system files.

Threat Actor Context

UNC6201 overlaps UNC5221 tactics but distinct operations.

Shared TTPs:

• Virtualization appliance targeting
• Ivanti zero-day exploitation
• Web shells: BEEFLUSH, ZIPLINE
• Edge device footholds

CrowdStrike links BRICKSTORM to Warp Panda hitting U.S. targets.

Mandiant’s Charles Carmakal: “Actors target EDR-less appliances for long dwell times.”

Related OT Activity

Dragos reports Voltzite (Volt Typhoon) hit Sierra Wireless Airlink gateways July 2025.

• Initial access via Sylvanite vuln weaponization
• Pivot to engineering workstations
• Config/alarm data dumping
• Process manipulation testing

Cellular gateways bypass OT security controls.

CISA Action

CVE-2026-22769 added to KEV catalog Feb 18. FCEB agencies patch by Feb 21.

Detection Rules

Mandiant published IOCs/YARA for hunting.

Key Indicators:

• SLAYSTYLE webshell in Tomcat /manager
• GRIMBOLT C# AOT binary artifacts
• Ghost NIC creation/deletion events
• Iptables 443→10443 redirects
• RecoverPoint Tomcat auth anomalies

Remediation Steps

Immediate:

1. Inventory all RecoverPoint for VMs instances
2. Verify versions against affected list
3. Apply 6.0.3.1 HF1 or remediation script
4. Hunt using Mandiant IOCs/YARA
5. Check Ghost NIC logs

Network Hardening:

• Firewall all RecoverPoint management ports
• Segment from VMware/internal networks
• Disable Tomcat Manager or restrict IPs
• Deploy EDR to appliances

Enterprise Impact

RecoverPoint manages VMware backup/recovery. Root compromise risks:

• Data integrity manipulation
• Backup repository control
• vSphere environment pivot
• Ransomware deployment platform

Long-term espionage likely goal given dwell time.

FAQ