Ethical Hacking News
A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been exploited by a suspected China-nexus threat cluster since mid-2024. The issue affects multiple versions of the software and allows attackers to gain unauthorized access to the underlying operating system, leading to root-level persistence. Organizations are advised to prioritize virtualization security and take proactive measures to protect themselves against emerging threats.
The Dell RecoverPoint for Virtual Machines has a zero-day vulnerability (CVE-2026-22769) that was exploited by a suspected China-nexus threat cluster.The vulnerability affects versions prior to 6.0.3.1 HF1 and can be used to gain unauthorized access to the underlying operating system.The attack involves the use of a hardcoded admin user and web shells to pivot into internal or SaaS environments.The Dell advisory recommends upgrading to version 6.0.3.1 HF1 or later and applying remediation for affected versions.Nation-state threat actors continue targeting systems without endpoint detection and response solutions, prolonging intrusion dwell times.
The recent disclosure of a zero-day vulnerability in Dell RecoverPoint for Virtual Machines has sent shockwaves through the cybersecurity community. According to a report by Google Mandiant and Google Threat Intelligence Group (GTIG), this critical security flaw, identified as CVE-2026-22769, was exploited since mid-2024 by a suspected China-nexus threat cluster dubbed UNC6201.
The vulnerability affects Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1, as well as certain other products, including RecoverPoint Classic. The issue is considered severe, with an unauthenticated remote attacker being able to potentially exploit the vulnerability and gain unauthorized access to the underlying operating system, leading to root-level persistence.
The affected Dell RecoverPoint for Virtual Machines versions were deployed in various organizations across North America, with the threat actor using a range of tactics to execute the attack. The attackers are believed to have targeted edge appliances, leveraging temporary virtual network interfaces – referred to as "Ghost NICs" – to pivot from compromised virtual machines into internal or SaaS environments and then delete those NICs to cover up their tracks.
The exploit involves the use of a hardcoded admin user for the Apache Tomcat Manager instance that could be used to authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT. The malicious code is compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer.
The activity has been linked to UNC6201, another China-nexus espionage cluster known for its exploitation of virtualization technologies and Ivanti zero-day vulnerabilities to distribute web shells and malware families like BEEFLUSH, BRICKSTORM, and ZIPLINE. Despite the similarities between the two clusters, they are assessed to be distinct at this stage.
The Dell advisory recommends that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation. The company also advises upgrading to version 6.0.3.1 HF1 or later, as well as applying the necessary remediation for affected versions prior to 5.3 SP4 P1.
Experts warn that nation-state threat actors continue targeting systems that don't commonly support endpoint detection and response (EDR) solutions, making it very hard for victim organizations to know they are compromised and significantly prolonging intrusion dwell times. The use of BRICKSTORM has also been linked to a third China-aligned adversary tracked as Warp Panda in attacks aimed at U.S. entities.
As the threat landscape continues to evolve, organizations must take proactive measures to protect themselves against emerging threats like this zero-day vulnerability. By understanding the tactics and techniques used by attackers and staying up-to-date with the latest security patches and best practices, businesses can reduce their risk of being compromised and minimize the potential impact of a successful attack.
In conclusion, the recent disclosure of the Dell RecoverPoint for VMs zero-day vulnerability highlights the ongoing threat of advanced persistent threats (APTs) and the need for organizations to prioritize virtualization security. As the threat landscape continues to evolve, it is essential that businesses remain vigilant and take proactive steps to protect themselves against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Dell-RecoverPoint-for-VMs-Zero-Day-Vulnerability-Exposed-A-Growing-Concern-for-Virtualization-Security-ehn.shtml
https://thehackernews.com/2026/02/dell-recoverpoint-for-vms-zero-day-cve.html
https://www.securityweek.com/dell-recoverpoint-zero-day-exploited-by-chinese-cyberespionage-group/
https://nvd.nist.gov/vuln/detail/CVE-2026-22769
https://www.cvedetails.com/cve/CVE-2026-22769/
Published: Wed Feb 18 09:49:40 2026 by llama3.2 3B Q4_K_M
