Executive Summary

On February 17, 2026, Dell disclosed a critical zero-day vulnerability, CVE-2026-22769, affecting its RecoverPoint for Virtual Machines product. The vulnerability, which scores a maximum 10.0 on the CVSS scale, is due to hardcoded credentials. Investigations by Google's Threat Intelligence Group and Mandiant revealed that a suspected China-nexus cyberespionage group, tracked as UNC6201, has been actively exploiting this flaw since at least mid-2024. The attackers used this access to deploy webshells and stealthy backdoors, including BRICKSTORM and a new malware called GRIMBOLT, for long-term persistence and data access. Dell has released patch 6.0.3.1 HF1, and all customers are urged to apply it immediately.

Threat Overview

The vulnerability resides in the RecoverPoint for Virtual Machines appliance, a solution used for backup and recovery in VMware environments. The core issue is the presence of hardcoded credentials, which allows an unauthenticated remote attacker to gain access to the appliance's underlying operating system with root privileges.

The threat actor, UNC6201, demonstrated a sophisticated attack chain:

1. Initial Access: The actor exploited CVE-2026-22769 by using the hardcoded credentials to log into the appliance's embedded Apache Tomcat Manager.
2. Webshell Deployment: Once authenticated, the attackers deployed a webshell known as SLAYSTYLE to establish a persistent command and control channel.
3. Payload Delivery: Using the webshell, the actor installed multiple malware families to solidify their foothold. This included BRICKSTORM, a known stealthy backdoor, and GRIMBOLT, a new C#-based backdoor.
4. Evasion and Persistence: The GRIMBOLT backdoor is notable for being compiled using native ahead-of-time (AOT) compilation, a technique designed to hinder reverse engineering and analysis. This allowed the actor to maintain long-term, undetected access for cyberespionage purposes.

The two-year gap between the start of exploitation and public disclosure highlights the effectiveness of the actor's stealth techniques and the critical danger posed by hardcoded credentials in enterprise products.

Technical Analysis

The attack leverages several techniques mapped to the MITRE ATT&CK framework:

• T1190 - Exploit Public-Facing Application: The initial attack vector was the exploitation of the vulnerable RecoverPoint appliance accessible over the network.
• T1552.004 - Hardcoded Credentials: The root cause of the vulnerability is hardcoded credentials within the product, which the attackers used for initial access.
• T1505.003 - Web Shell: The deployment of the SLAYSTYLE webshell on the compromised Apache Tomcat server provided the attackers with persistent access and a platform to execute further commands.
• T1105 - Ingress Tool Transfer: The attackers transferred their backdoors (BRICKSTORM, GRIMBOLT) to the compromised system after gaining initial access.
• T1027 - Obfuscated Files or Information: The use of native AOT compilation for the GRIMBOLT backdoor is a form of obfuscation intended to make analysis more difficult.

Impact Assessment

The exploitation of CVE-2026-22769 poses a severe risk to organizations. Since RecoverPoint appliances are deeply integrated into virtualization infrastructure and have access to critical backup data, a compromise can have catastrophic consequences:

• Data Theft: Attackers can access or exfiltrate sensitive data from virtual machine backups.
• Ransomware Deployment: Although this campaign was focused on espionage, the same access could be used to destroy backups and deploy ransomware across the virtual environment.
• Lateral Movement: The compromised appliance serves as a powerful pivot point into the broader corporate network.
• Long-Term Espionage: The stealthy nature of the backdoors allows for long-term, undetected monitoring and data exfiltration, which is consistent with the objectives of a nation-state actor like UNC6201. Given the appliance's role, business impact includes significant data recovery costs, regulatory fines for data breaches, and loss of intellectual property.

Cyber Observables for Detection

Security teams should hunt for the following indicators:

Detection & Response

• Log Analysis: Immediately review access logs for the RecoverPoint appliance's web interface and Apache Tomcat logs. Search for successful logins from unknown IP addresses or unusual user agents, especially to the /manager/html path.
• Endpoint Detection (EDR): If possible, deploy EDR agents or monitoring tools on the appliance's underlying OS. Hunt for suspicious processes, file creation events in web directories, and outbound network connections.
• Network Monitoring: Use network traffic analysis to baseline normal traffic from the RecoverPoint appliance. Alert on any connections to suspicious or non-standard external destinations. Reference D3FEND technique D3-NTA - Network Traffic Analysis.
• File Integrity Monitoring: Check the integrity of all files in the Tomcat web directories. Compare file hashes against known-good versions to identify webshells or other malicious modifications.

Mitigation

• Immediate Patching: The primary mitigation is to apply Dell's patch (version 6.0.3.1 HF1 or later) immediately. This is a critical action. Reference D3FEND technique D3-SU - Software Update.
• Network Isolation: If patching is not immediately possible, restrict network access to the RecoverPoint management interface. It should only be accessible from a trusted management network or specific administrative jump hosts. Do not expose this interface to the internet. Reference D3FEND technique D3-NI - Network Isolation.
• Credential Management: As a general best practice, enforce strong, unique passwords for all management interfaces and disable or change any default credentials. While this specific flaw was hardcoded, the principle remains vital. Reference D3FEND technique D3-SPP - Strong Password Policy.
• Assume Compromise: Given the long exploitation window, organizations should consider appliances that were unpatched and accessible as potentially compromised. A full incident response investigation may be warranted.