CVE-2026-22769: Critical Dell RecoveryPoint Zero-Day Exploited in the Wild

SOC Prime has recently covered a wave of actively exploited zero-days across major ecosystems, including Apple’s CVE-2026-20700 and Microsoft’s CVE-2026-20805, alongside a fresh Chrome zero-day case. But the avalanche of threats keeps marching into 2026. Recently, researchers from Mandiant and Google Threat Intelligence Group (GTIG) detailed the active exploitation of CVE-2026-22769, a maximum-severity hardcoded-credential vulnerability in Dell products.

The spotlight is on Dell RecoverPoint for Virtual Machines, a VMware-focused backup and disaster recovery solution that has become the target of an in-the-wild zero-day campaign attributed to suspected China-nexus activity. Tracked with a CVSS score of 10.0, CVE-2026-22769 has reportedly been exploited by the China-linked cluster UNC6201 since at least mid-2024, enabling attackers to establish access and deploy multiple malware families, including BRICKSTORM and GRIMBOLT.

SOC Prime Platform helps security teams close the gap between “a CVE was disclosed” and “we have detection intel.” Sign up now to access the world’s largest detection intelligence dataset, backed by advanced solutions to take your SOC to the next level. Click Explore Detections to reach vulnerability-focused detection content pre-filtered by the “CVE” tag. 

Explore Detections

All rules are compatible with dozens of SIEM, EDR, and Data Lake formats and mapped to MITRE ATT&CK®. Additionally, each rule is enriched with extensive metadata, including CTI references, Attack Flow visualization, triage recommendations, audit configurations, and more.

Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2026-22769 Analysis

In its advisory from February 17, 2026, Dell describes CVE-2026-22769 as a hardcoded credential vulnerability in RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1, and assigns it a highest severity rating. Dell warns that an unauthenticated remote attacker who knows the hardcoded credential could gain unauthorized access to the underlying operating system and even establish root-level persistence. 

GTIG and Mandiant’s investigation adds the operational detail behind that impact. Security experts observed activity against the appliance’s Apache Tomcat Manager, including web requests using the admin username that resulted in the deployment of a malicious WAR file containing the SLAYSTYLE web shell. The researchers then traced this back to hard-coded default credentials for the admin user in Tomcat Manager configuration at /home/kos/tomcat9/tomcat-users.xml. Using those credentials, an attacker could authenticate to Tomcat Manager and deploy a WAR via the /manager/text/deploy endpoint, leading to command execution as root on the appliance. 

UNC6201 is assessed to have used this foothold for lateral movement, persistence, and malware deployment, with the earliest identified exploitation dating back to mid-2024. The initial access vector was not confirmed in these cases, but GTIG notes UNC6201 is known for targeting edge appliances as an entry point.

The post-compromise tooling also evolved over time. Mandiant reports finding BRICKSTORM binaries and then observing a replacement with GRIMBOLT in September 2025. GRIMBOLT is described as a C# backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX, providing remote shell capability while using the same C2 as BRICKSTORM. The researchers note it is unclear whether the swap was a planned upgrade or a response to incident response pressure.

The activity did not stop at the RecoverPoint appliance. Mandiant reports that UNC6201 pushed deeper into victims’ virtualized environments by creating temporary virtual network ports on VMware ESXi servers, effectively spinning up hidden network connectivity commonly referred to as “Ghost NICs.” This technique allowed the attackers to move quietly from compromised VMs into broader internal networks and, in some cases, toward SaaS environments.

Researchers also report overlaps between UNC6201 and another China-nexus cluster tracked as UNC5221, known for exploiting Ivanti zero-days and previously linked in reporting to Silk Typhoon, though GTIG notes these clusters are not considered identical.

CVE-2026-22769 Mitigation

Dell’s remediation guidance is clear, but it requires follow-through. For the 6.x line, Dell points customers to upgrade to 6.0.3.1 HF1 or apply the vendor remediation script referenced in the advisory, and it also provides migration/upgrade paths for affected 5.3 service pack builds.

To strengthen coverage beyond patching, rely on the SOC Prime Platform to reach the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and stay ahead of emerging threats.