CVE-2026-22769 Dell RecoverPoint for VMs (CVSS 10.0)

Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 (CVSS 10.0) Exploited Since Mid-2024

Estimated reading time: 8 minutes

On February 18, 2026, security researchers identified that Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 has been a primary vector for a China-nexus threat actor group tracked as UNC6201. This critical vulnerability, which carries a CVSS score of 10.0, stems from the use of hard-coded credentials in the Dell RecoverPoint for Virtual Machines software. While the public disclosure is recent, technical analysis by Google Mandiant and the Google Threat Intelligence Group (GTIG) indicates that exploitation has been ongoing for nearly two years. This period of undetected access allowed threat actors to establish long-term persistence within affected environments, targeting virtualization infrastructure that frequently lacks standard endpoint detection and response (EDR) coverage.

Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024

The vulnerability CVE-2026-22769 (CVSS 10.0) centers on an “admin” user account with a hard-coded credential for the Apache Tomcat Manager instance embedded within the Dell RecoverPoint for Virtual Machines appliance. An unauthenticated remote attacker with knowledge of this credential can authenticate to the Tomcat Manager and utilize the /manager/text/deploy endpoint to upload malicious payloads. Because the appliance operates with high-level permissions, successful exploitation grants the attacker the ability to execute commands as root on the underlying operating system.

Affected versions include all releases of RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1. Specifically:

• RecoverPoint for Virtual Machines 5.3 SP4 P1 and earlier.
• RecoverPoint for Virtual Machines 6.0 through 6.0 SP3 P1.

Products such as RecoverPoint Classic are confirmed as not vulnerable to this specific flaw. Organizations running affected versions are currently categorized by CISA as being at high risk, following the addition of this CVE to the Known Exploited Vulnerabilities (KEV) catalog on February 18, 2026.

Technical Analysis of the UNC6201 Campaign

The threat actor cluster UNC6201 has focused on North American organizations, utilizing a sophisticated toolkit to maintain a low forensic footprint. The initial access phase involves the exploitation of the hard-coded credential to drop a web shell named SLAYSTYLE. This web shell serves as a delivery mechanism for more complex backdoors, specifically the BRICKSTORM and GRIMBOLT families.

BRICKSTORM and GRIMBOLT Malware Families

BRICKSTORM is a C# backdoor that has been observed in several campaigns linked to China-aligned espionage. In late 2025, researchers noted a transition from BRICKSTORM to a newer version dubbed GRIMBOLT. GRIMBOLT is significant because it is compiled using native ahead-of-time (AOT) compilation. This technique converts the C# code directly into machine-specific code before execution, rather than relying on the Just-In-Time (JIT) compiler of the .NET runtime. For an analyst, this makes the binary significantly harder to reverse engineer and allows the malware to blend more effectively with native system files.

GRIMBOLT provides remote shell capabilities and uses the same command-and-control (C2) infrastructure as its predecessor. Its primary purpose appears to be long-term espionage and data exfiltration from within the virtualization layer.

The “Ghost NIC” Evasion Technique

One of the most distinct tactics employed by UNC6201 is the use of temporary virtual network interfaces, or “Ghost NICs.” To pivot from the compromised Dell RecoverPoint appliance into the broader internal network or SaaS environments, the actors create a new virtual network interface. This interface allows them to route traffic and perform lateral movement without triggering alerts on existing monitored interfaces. Once the objective is achieved, the actors delete the Ghost NIC, removing the primary evidence of the network pivot. This makes traditional network forensic investigations and breach detection efforts difficult, as the interface used for the lateral movement no longer exists in the virtual environment’s configuration.

Iptables Port Redirection and Persistence

UNC6201 demonstrated a high level of operational security through the manipulation of host-based firewall rules. On compromised VMware vCenter appliances, the group executed iptables commands to monitor incoming traffic on port 443. The logic followed a specific “port-knocking” sequence:

1. The system monitors for a specific HEX string in traffic directed at port 443.
2. Upon detection, the source IP is added to an “approved” list.
3. If an IP on the list attempts to connect to port 10443, the connection is accepted.
4. Subsequent traffic from that IP to port 443 is silently redirected to port 10443 for a 300-second window.

This mechanism allows the threat actor to hide their C2 traffic within standard HTTPS flows while maintaining a dedicated, hidden port for administrative control, further complicating cyber-threat intelligence collection.

Regional and Sector-Specific Impact

While fewer than a dozen organizations have been confirmed as victims, the actual scale is likely larger due to the length of time the zero-day remained unpatched. The activity overlaps with other known clusters, such as UNC5221, which has historically targeted virtualization technologies and Ivanti appliances. There are also tactical similarities with Warp Panda, a group that has utilized BRICKSTORM against U.S.-based entities.

The targeting of edge appliances and virtualization managers is a strategic choice. These systems often lack integrated security agents like EDR or XDR, creating a blind spot for many security operation centers. Furthermore, these appliances often have broad reach into both the data center and the cloud, making them ideal staging points for espionage.

This trend is mirrored in recent attacks by Voltzite (Volt Typhoon), which targeted Sierra Wireless Airlink gateways in the energy sector in mid-2025. These attacks transitioned from data exfiltration to the direct manipulation of engineering workstations, demonstrating that Chinese espionage groups are moving closer to operational technology (OT) disruption. Organizations utilizing virtualization for critical infrastructure must account for these risks through supply-chain risk monitoring.

Parallel Threat: Grandstream GXP1600 RCE (CVE-2026-2329)

In addition to the Dell RecoverPoint vulnerability, researchers have identified a critical flaw in Grandstream GXP1600 series VoIP phones. Tracked as CVE-2026-2329 (CVSS 9.3), this vulnerability is an unauthenticated stack-based buffer overflow.

The issue resides in the web-based API endpoint /cgi-bin/api.values.get. This service is enabled by default and does not require authentication. When a request is sent to the “request” parameter, the device parses identifiers and appends them to a 64-byte buffer on the stack. The software fails to perform a length check, allowing an attacker to overwrite adjacent stack memory.

Exploitation of this flaw allows for:

• Root-level remote code execution (RCE).
• Extraction of stored credentials.
• Reconfiguration of the device to use a malicious Session Initiation Protocol (SIP) proxy.
• Eavesdropping on VoIP conversations.

The Grandstream vulnerability reinforces the necessity of dark web monitoring and underground forum intelligence to identify when such exploits are traded or discussed among threat actors before they are broadly patched.

Technical Takeaways for Engineers

For technical teams, the Dell and Grandstream vulnerabilities highlight several architectural weaknesses that must be addressed.

Hard-coded Credential Auditing:
CVE-2026-22769 demonstrates that even enterprise-grade recovery solutions can contain legacy hard-coded accounts. Engineers should perform credential audits on all management interfaces, particularly those utilizing Apache Tomcat. Access to the Tomcat Manager /manager/text/ should be restricted to localhost or disabled if not required for operations.

Log Analysis and Indicators of Compromise (IOCs):
Searching for SLAYSTYLE and BRICKSTORM requires looking for specific web shell signatures in the Tomcat webapps directory. Engineers should also inspect iptables rules for any persistent redirections or rules targeting port 10443. The presence of non-standard HEX strings in port 443 traffic logs can serve as a primary indicator of UNC6201 activity.

Network Segmentation and Ghost NIC Detection:
Because dark web monitoring services often report on the sale of access to virtualized environments, network teams must monitor for the creation and deletion of virtual network interfaces. Implementing strict micro-segmentation can prevent a compromised appliance from reaching SaaS or internal engineering environments, even if a Ghost NIC is used.

Binary Hardening:
The shift to AOT-compiled malware like GRIMBOLT means that static analysis is less effective. Security teams should shift toward behavioral analysis and real-time ransomware intelligence to detect anomalous process execution on virtualization hosts.

Actionable Advice for Business Leaders

Prioritize Edge Appliance Patching:
The Dell RecoverPoint vulnerability has a CVSS of 10.0 and is actively being exploited. Business leaders must ensure that IT teams prioritize the patching of edge-facing appliances. The supply-chain information security of these third-party appliances is a critical risk factor.

Investment in Managed Threat Intelligence:
Utilizing a cyber threat intelligence platform can provide early warnings about groups like UNC6201. Access to a live ransomware API and telegram threat monitoring allows a business to understand the specific tactics being used against their industry before an incident occurs.

Re-evaluate Trust Models:
The Dell bulletin notes that RecoverPoint for VMs is not intended for use on untrusted or public networks. Business leaders should verify that management interfaces for backup and recovery systems are not exposed to the internet and are protected by multi-factor authentication (MFA) and VPNs.

Monitoring for Data Leaks:
In the event of an undetected compromise, brand leak alerting can provide the first sign that corporate data has been exfiltrated and posted on underground forums.

Remediation Steps

Dell has released specific remediation paths for CVE-2026-22769. Organizations must follow the upgrade path corresponding to their current version:

1. Version 5.3 SP4 P1: Migrate to version 6.0 SP3, then upgrade to 6.0.3.1 HF1.
2. Versions 6.0 through 6.0 SP3 P1: Upgrade directly to 6.0.3.1 HF1.
3. Versions 5.3 SP4 and earlier: Upgrade to 5.3 SP4 P1 or a 6.x version, then apply the HF1 remediation.

For the Grandstream GXP1600 series, users should update to firmware version 1.0.7.81 immediately.

PurpleOps Expertise in Threat Mitigation

PurpleOps provides the technical depth and specialized services required to navigate complex zero-day scenarios like CVE-2026-22769. Our cyber threat intelligence platform integrates data from underground forum intelligence and telegram threat monitoring to give organizations a clear view of the actor landscape.

By leveraging our penetration testing and red team operations, companies can identify if their virtualization infrastructure is susceptible to the same “Ghost NIC” or iptables redirection tactics used by UNC6201. Our focus on supply-chain risk monitoring ensures that third-party appliances like Dell RecoverPoint do not become the weak link in your security posture.

For organizations concerned about the long-term presence of BRICKSTORM or GRIMBOLT, our breach detection and forensic analysis services provide the necessary visibility to hunt for these sophisticated backdoors. We offer real-time ransomware intelligence through a live ransomware API, helping you stay ahead of actors who may pivot from espionage to disruptive attacks.

For more information on how PurpleOps can secure your infrastructure against sophisticated zero-day exploits and China-nexus threat actors, explore our platform or services today. Contact our team to schedule a technical consultation or a security assessment of your virtualization environment.