A critical vulnerability in Dell RecoverPoint for Virtual Machines has been active as a zero-day since mid-2024 by a suspected Chinese threat group known as UNC6201. The flaw involves hard-coded credentials that allow unauthenticated attackers to gain root access and deploy persistent backdoors like BRICKSTORM and its stealthier successor, GRIMBOLT.
A newly discovered security flaw carrying a perfect severity score of 10.0 has compromised Dell RecoverPoint for Virtual Machines across various versions. According to reports from Google Mandiant and Google Threat Intelligence Group, the vulnerability stems from hard-coded credentials within the Apache Tomcat Manager. Attackers use these credentials to gain unauthorized access to the underlying operating system, allowing them to execute commands and maintain a long-term presence on affected networks.
The threat actor behind these attacks, identified as UNC6201, has been exploiting this weakness since at least the middle of 2024 to target organizations primarily in North America. By using the hard-coded "admin" user, the group deploys a web shell that facilitates the installation of sophisticated malware. This includes the GRIMBOLT backdoor, which utilizes native ahead-of-time compilation to evade traditional security detection and complicate the efforts of forensic investigators trying to reverse-engineer the code.
Security researchers have noted that UNC6201 shares tactical similarities with other Chinese espionage clusters but remains a distinct entity. The group specifically targets appliances that lack standard endpoint detection and response tools, enabling them to operate undetected for extended periods. Their methods include the use of temporary virtual network interfaces, or ghost NICs, which they create to move laterally through internal or cloud environments before deleting the interfaces to erase their digital footprints.
Dell has released a bulletin urging users to upgrade to version 6.0.3.1 HF1 or apply specific migration paths for older versions to mitigate the risk. The company emphasizes that this software should only be deployed within trusted, access-controlled internal networks protected by firewalls. Because the full scale of the campaign is still being uncovered, experts recommend that organizations hunt for specific indicators of compromise, especially if they have been targeted by similar state-sponsored activity in the past.
While the exact method for initial access remains under investigation, the attackers consistently focus on edge appliances to breach target networks. Once inside, they have been observed manipulating system configurations to further their reach into VMware environments. Given the significant amount of time the attackers have had to establish persistence, security teams are warned that the threat may remain active even in environments that have recently been patched or remediated.
Source: Dell RecoverPoint For VMs Zero-Day CVE-2026-22769 Exploited Since 2024