Executive Summary

Enterprise IT administrators are facing two new significant threats, with patches now available. Microsoft has addressed a critical privilege escalation vulnerability, CVE-2026-26119, in its Windows Admin Center platform. Separately and more urgently, Dell has disclosed that a critical, CVSS 10.0 zero-day vulnerability, CVE-2026-22769, in its RecoverPoint for Virtual Machines solution has been under active exploitation by a suspected China-linked threat group since mid-2024. The Dell flaw allows for complete system takeover and has been added to CISA's KEV catalog. Organizations using these products are urged to apply the respective patches immediately.

Vulnerability Details

Dell RecoverPoint for VMs: CVE-2026-22769

This is a critical vulnerability with a CVSS score of 10.0, indicating maximum severity.

• Flaw: The vulnerability is due to hard-coded credentials within the RecoverPoint for VMs software. An unauthenticated attacker can use these static credentials to gain root-level access to the appliance.
• Exploitation: A suspected China-linked threat group, tracked as UNC6201, has been exploiting this flaw since mid-2024. They use the access to establish persistent backdoors and deploy malware.
• Malware: The attackers have been observed deploying two malware families:
  • BRICKSTORM: A backdoor providing persistent access.
  • GRIMBOLT: Another malicious tool used in the attack chain.
• TTPs: Attackers have been seen deploying web shells via the Tomcat Manager on compromised appliances, enabling deep system control and facilitating lateral movement.
• MITRE ATT&CK:
  • T1133 - External Remote Services: Initial access via the vulnerable service.
  • T1078.001 - Default Accounts: Use of hard-coded credentials.
  • T1505.003 - Server Software Component: Web Shell: Persistence and control via web shells.

Microsoft Windows Admin Center: CVE-2026-26119

This is a critical vulnerability with a CVSS score of 8.8.

• Flaw: The vulnerability is a privilege escalation issue resulting from an improper authentication mechanism.
• Exploitation: An attacker who is already authenticated on the same network as the Windows Admin Center can exploit this flaw to elevate their privileges to match those of the user running the WAC system. If WAC is running as a high-privileged user, the attacker gains those same privileges.
• Status: While Microsoft has not observed active exploitation, it has assessed that exploitation is "more likely," indicating a high risk.
• MITRE ATT&CK:
  • T1068 - Exploitation for Privilege Escalation

Impact Assessment

• Dell CVE-2026-22769: A compromise of a data recovery appliance is extremely severe. Attackers could corrupt or delete backups, preventing recovery after a ransomware attack. They could also use the appliance as a highly privileged pivot point to move laterally across the virtual infrastructure.
• Microsoft CVE-2026-26119: Gaining elevated privileges via Windows Admin Center allows an attacker to manage and potentially compromise any servers connected to that WAC instance, leading to widespread domain compromise.

Remediation Steps

Immediate patching is required for both vulnerabilities.

• For Dell CVE-2026-22769:

  1. Upgrade: Customers must upgrade to a patched version of Dell RecoverPoint for Virtual Machines immediately.
  2. Network Segmentation: Dell strongly advises deploying the appliances within a segmented, protected network with no direct exposure to the internet. This aligns with D3FEND's Network Isolation (D3-NI).
  3. Threat Hunt: Organizations should hunt for signs of compromise, including the presence of BRICKSTORM or GRIMBOLT malware and any unauthorized web shells in Tomcat directories.

• For Microsoft CVE-2026-26119:

  1. Upgrade: Update to Windows Admin Center version 2511 or later. The patch was released in December 2025, so organizations may already be protected if they maintain regular update cycles. This is an application of D3FEND's Software Update (D3-SU).