Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities catalog, warning organizations about potential attacks exploiting these vulnerabilities. This update highlights the critical need for vigilance in cybersecurity as threats continue to evolve.
The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities, one from Dell RecoverPoint for Virtual Machines and another from GitLab, to its list of Known Exploited Vulnerabilities (KEV).A Server-Side Request Forgery (SSRF) issue in GitLab instances allows attackers to access internal networks.The Dell RecoverPoint for Virtual Machines Use of Hard-coded Credentials Vulnerability has been exploited by a suspected China-linked APT group, allowing them to move laterally and deploy malware.Attackers have used this vulnerability to create "Ghost NICs" for stealthy lateral movement and Single Packet Authorization to control traffic on vCenter appliances.Organizations must review the KEV catalog and address these vulnerabilities to protect against attacks exploiting the flaws in the catalog.
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two vulnerabilities, one from Dell RecoverPoint for Virtual Machines and another from GitLab, to its list of Known Exploited Vulnerabilities (KEV). This update serves as a reminder to organizations that have not already done so to address these flaws in their infrastructure. In this article, we will delve into the details of both vulnerabilities and explore the broader implications for cybersecurity.
The first vulnerability added to the KEV catalog is a Server-Side Request Forgery (SSRF) issue tracked as CVE-2021-22175. This flaw allows an attacker to exploit GitLab instances that have registration disabled but are still running webhooks enabled, potentially leading to unauthorized access to internal networks. According to GreyNoise threat intelligence firm, this vulnerability has been exploited by attackers targeting various entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.
GreyNoise also reported an increase in Grafana path traversal exploitation attempts on March 9, suggesting that attackers may be using Grafana as an entry point for deeper exploitation. One of the vulnerabilities observed in these attacks is CVE-2020-7796. Experts warned that attackers leverage SSRF for pivoting and reconnaissance, as well as cloud exploitation.
The second vulnerability added to the KEV catalog is a Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability tracked as CVE-2026-22769. This flaw involves hardcoded credentials, which were abused to gain access to VMware backup systems. Mandiant and Google's Threat Intelligence Group reported that a suspected China-linked APT group quietly exploited this critical zero-day flaw in Dell RecoverPoint for Virtual Machines since mid-2024.
Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT. Researchers observed advanced tactics, including stealthy VMware pivoting via "Ghost NICs" and Single Packet Authorization with iptables.
Dell has released patches and mitigation guidance for this vulnerability. During investigations into compromised Dell RecoverPoint appliances, Mandiant researchers discovered that attackers replaced BRICKSTORM with a new C# backdoor, GRIMBOLT, in September 2025. GRIMBOLT is compiled using Native AOT and packed with UPX, providing remote shell access and reusing BRICKSTORM's command-and-control channels.
Attackers ensured persistence by modifying a legitimate startup script so the backdoor runs automatically at boot. The attackers expanded into VMware environments, creating "Ghost NICs" for stealthy lateral movement and using iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances.
This update serves as a reminder to organizations that have not already addressed these vulnerabilities in their infrastructure. Experts recommend reviewing the KEV catalog and addressing the vulnerabilities to protect against attacks exploiting the flaws in the catalog.
In light of this development, it is crucial for organizations to take proactive measures to secure their systems against known exploited vulnerabilities. The addition of these two flaws to the KEV catalog highlights the ongoing threat landscape and underscores the importance of vigilance in cybersecurity.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Vulnerable-Landscape-CISAs-Latest-Addition-to-the-Known-Exploited-Vulnerabilities-Catalog-Sparks-Concern-Over-Dell-RecoverPoint-GitLab-and-Beyond-ehn.shtml
https://securityaffairs.com/188243/hacking/u-s-cisa-adds-dell-recoverpoint-and-gitlab-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2020-7796
https://www.cvedetails.com/cve/CVE-2020-7796/
https://nvd.nist.gov/vuln/detail/CVE-2021-22175
https://www.cvedetails.com/cve/CVE-2021-22175/
https://nvd.nist.gov/vuln/detail/CVE-2026-22769
https://www.cvedetails.com/cve/CVE-2026-22769/
Published: Thu Feb 19 14:18:48 2026 by llama3.2 3B Q4_K_M
