A severe security vulnerability in Dell RecoverPoint for Virtual Machines (VMs) has been actively exploited as a zero-day by a suspected China-linked threat group known as UNC6201 since mid-2024, according to findings from Google Mandiant and the Google Threat Intelligence Group (GTIG).
The vulnerability, identified as CVE-2026-22769 with a maximum CVSS score of 10.0, stems from hard-coded credentials in versions prior to 6.0.3.1 HF1. Other Dell products, including RecoverPoint Classic, remain unaffected.
Dell’s advisory emphasizes the criticality of this issue: an unauthenticated attacker aware of the hard-coded credentials could gain unauthorized access to the system, potentially achieving root-level persistence.
Affected Versions and Recommended Actions
- RecoverPoint for Virtual Machines 5.3 SP4 P1 – Migrate to 6.0 SP3 and then update to 6.0.3.1 HF1
- RecoverPoint for Virtual Machines 6.0 to 6.0 SP3 P1 – Upgrade directly to 6.0.3.1 HF1
- Versions 5.3 SP4 and earlier – Upgrade to 5.3 SP4 P1 or a 6.x release and apply remediation
Dell recommends deploying RecoverPoint for VMs only in trusted, access-controlled internal networks, protected by firewalls and network segmentation. The platform is not intended for public networks.
Exploitation Mechanics
According to Google, the hard-coded credential targets the “admin” user of Apache Tomcat Manager. Attackers can authenticate to the Dell RecoverPoint Tomcat Manager, deploy a web shell called SLAYSTYLE through the “/manager/text/deploy” endpoint, and execute root commands to drop the BRICKSTORM backdoor, now upgraded as GRIMBOLT.
Mandiant’s Charles Carmakal explained that GRIMBOLT is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making reverse engineering more challenging. Google reported that North American organizations have been targeted, with GRIMBOLT designed to evade detection and blend seamlessly with native system files.
Threat Actor Connections and Tactics
UNC6201 shares some operational similarities with UNC5221, another China-linked espionage cluster exploiting virtualization and Ivanti zero-day vulnerabilities. Both distribute web shells and malware families like BEEFLUSH, BRICKSTORM, and ZIPLINE. Despite similarities, UNC6201 is considered a separate entity. BRICKSTORM activity has also been linked to Warp Panda in attacks on U.S. organizations.
One unique tactic of UNC6201 involves temporary virtual network interfaces, known as “Ghost NICs,” used to move laterally from compromised VMs into internal or SaaS environments, then deleting the interfaces to hide tracks.
Advanced Infection Techniques
Compromised VMware vCenter appliances reveal attackers using iptable commands via the web shell to:
- Monitor port 443 for a specific HEX string
- Add source IP addresses to an approved list and allow connections on port 10443
- Redirect port 443 traffic to 10443 for five minutes if IP matches approved list
In September 2025, GRIMBOLT replaced older BRICKSTORM binaries. While both malware variants provide remote shell capabilities using the same command-and-control (C2) infrastructure, GRIMBOLT’s stealth features appear superior.
Broader Implications
Carmakal highlighted that nation-state actors continue targeting systems lacking traditional endpoint detection and response (EDR), prolonging intrusion dwell times. This aligns with other Chinese campaigns, such as Volt Typhoon (Voltzite), which targeted Sierra Wireless Airlink gateways in critical infrastructure, pivoting into operational technology (OT) systems for data exfiltration and process manipulation.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.


