CVE-2026-22769: Dell RecoverPoint CVSS 10.0 Zero-Day Exploited by China-Nexus Hackers Since 2024

Vulnerability Overview

CVE-2026-22769 is about as bad as a vulnerability gets. Maximum CVSS score. No authentication required. Remote code execution with root-level persistence. Actively exploited before the vendor even knew it existed.

CVE-2026-22769 at a Glance

• CVE ID: CVE-2026-22769
• CVSS Score: 10.0 (Critical — Maximum)
• Vulnerability Type: Hardcoded Credentials (CWE-798)
• Affected Product: Dell RecoverPoint for Virtual Machines
• Affected Versions: All versions prior to 6.0.3.1 HF1 (including 5.3 SP4 P1 and all 6.0.x releases)
• Attack Vector: Network — No authentication, no user interaction required
• Patch Available: Yes — Dell DSA-2026-079 (February 18, 2026)
• CISA KEV: Added February 20, 2026 — Federal remediation deadline: February 21, 2026
• Exploitation Status: Actively exploited in the wild since mid-2024
• Threat Actor: UNC6201 (suspected PRC nexus / Silk Typhoon overlap)

What Products Are Affected?

Only Dell RecoverPoint for Virtual Machines is affected. RecoverPoint Classic (physical appliance) is not vulnerable to this specific flaw. The vulnerable versions include:

• RecoverPoint for Virtual Machines 5.3 SP4 P1 (requires migration to 6.0 SP3, then upgrade to 6.0.3.1 HF1)
• Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, 6.0 SP3 P1
• Versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier (upgrade to 5.3 SP4 P1 or a 6.x version first)

The Attack Chain: From Hardcoded Creds to Root Persistence

The vulnerability itself is conceptually simple — Dell hardcoded a default admin password in the Apache Tomcat Manager configuration bundled with RecoverPoint for VMs. That single mistake gave UNC6201 an unauthenticated entry point into the appliance with management-level access.

From there, the attack chain flows through a well-practiced playbook:

Step 1: Apache Tomcat Manager Authentication

Attackers authenticate to the RecoverPoint appliance's bundled Apache Tomcat Manager using the hardcoded admin credentials. Security analysts observed "multiple web requests" to vulnerable appliances using this username, directed to the installed Tomcat Manager interface. Because Tomcat Manager is exposed to the network (often without additional authentication hardening on the management plane), this is a trivially simple first step.

Step 2: SLAYSTYLE Web Shell Deployment

With authenticated access to Tomcat Manager, attackers upload a malicious WAR (Web Application Archive) file via the /manager/text/deploy endpoint. This WAR contains the SLAYSTYLE web shell — a persistent, interactive foothold on the appliance that allows arbitrary command execution.

Tomcat's WAR deployment mechanism is a legitimate administrative function. Using it with stolen (or in this case, hardcoded) credentials produces no inherently suspicious activity — no exploit, no crash, no memory corruption. It looks like routine administration.

Step 3: Root-Level Command Execution

Through SLAYSTYLE, attackers execute commands as root on the underlying operating system. This includes:

• Downloading and dropping BRICKSTORM or GRIMBOLT backdoor binaries
• Modifying convert_hosts.sh — a legitimate boot-time shell script executed via rc.local — to load the backdoor at startup, ensuring persistence across reboots
• Configuring iptables rules to monitor port 443 for specific hex strings, whitelist attacker IPs, and redirect traffic to port 10443 for 300-second windows
• Querying internal databases and extracting configuration data

Step 4: Administrative Account Takeover

In a particularly sophisticated move, UNC6201 deployed a custom Python script for temporary privilege escalation. The script:

1. Queries the RecoverPoint database to back up the existing password hash for admin User ID 1
2. Uses the application's own check_auth binary to generate a valid hash for a chosen password
3. Injects the new hash into the database, granting full admin access for 60 seconds
4. Restores the original hash and self-destructs

This 60-second window is enough to extract configuration secrets, create persistent accounts, or stage further access — and leaves almost nothing in logs to find.

Malware Deep Dive: SLAYSTYLE, BRICKSTORM, and GRIMBOLT

UNC6201 didn't stumble across this vulnerability and improvise. They arrived with a toolkit. Understanding each component matters for detection and threat hunting.

SLAYSTYLE

SLAYSTYLE is a web shell deployed as a WAR file via Tomcat Manager. It provides an interactive command interface on the compromised appliance. While functionally similar to common web shells (China Chopper, Godzilla), its deployment via a legitimate Tomcat WAR deployment mechanism makes it harder to detect through traditional endpoint-focused controls.

Detection hint: Look for unexpected WAR deployments in Tomcat Manager access logs, particularly to unusual path names or from unexpected source IPs.

BRICKSTORM

BRICKSTORM is UNC6201's primary backdoor — first observed in 2024 during a broader Brickstorm campaign targeting VMware environments in critical US networks. Earlier versions were written in Go, with later iterations rewritten in Rust. It provides:

• Remote shell access
• Command-and-control (C2) communication
• Lateral movement capabilities
• Persistence via modified boot scripts

Critically, BRICKSTORM targets network appliances and edge devices that lack traditional EDR coverage — a deliberate architectural choice by the threat actor.

GRIMBOLT — The Upgrade

In September 2025, UNC6201 began swapping out BRICKSTORM with GRIMBOLT — a newer, more evasion-resistant C# backdoor. Key technical characteristics:

• Native AOT compilation: Compiles C# code to native machine code ahead of runtime, making reverse engineering significantly harder and reducing managed runtime signatures
• UPX packing: Further compresses the native binary, reducing file size and complicating static analysis
• Same C2 infrastructure: GRIMBOLT reuses BRICKSTORM's C2 endpoints, suggesting the upgrade was a tactical evasion improvement, not an infrastructure overhaul
• Filesystem blending: Designed to mimic system-native file characteristics, making it harder to identify as malicious during manual review
• Same remote shell capabilities as BRICKSTORM, with improved anti-forensics

Ghost NICs: VMware's Hidden Pivot Points

The most technically novel aspect of this campaign — and the one that makes it genuinely scary for VMware administrators — is the "Ghost NIC" technique.

After gaining root on the RecoverPoint appliance, UNC6201 creates temporary, hidden virtual network interfaces on ESXi-hosted virtual machines. These Ghost NICs provide a covert network path from the compromised RecoverPoint appliance directly into the broader VMware virtual infrastructure — bypassing network segmentation, firewall rules, and traditional network monitoring.

Why This Works

RecoverPoint for VMs requires deep integration with the VMware vSphere environment to perform its disaster recovery function. It has privileged access to the ESXi management plane — access that, when abused, allows programmatic creation and deletion of virtual network adapters on running VMs.

Ghost NICs are ephemeral by design. They're created, used for lateral movement or data exfiltration, and then deleted — leaving no persistent network configuration change that would show up in routine CMDB audits or change management reviews.

Why This Is Hard to Detect

• No firewall rules to trigger: The NIC exists at the ESXi level, below the guest OS firewall
• Ephemeral: Deleted after use, leaving minimal forensic traces
• Legitimate-looking operation: Adding/removing NICs is a normal vSphere admin task
• Insufficient ESXi logging: Many organizations don't log vSphere management API calls at the granularity needed to catch this

VMware (now Broadcom) has not yet issued a statement on the Ghost NIC technique specifically. However, this is a systemic issue: any product with privileged ESXi API access that gets compromised becomes a potential pivot point for this technique.

UNC6201 and the Silk Typhoon Connection

UNC6201 is a suspected People's Republic of China-nexus threat cluster tracked by Google's Mandiant and Threat Intelligence Group. They've been targeting enterprise edge appliances — particularly those running VMware workloads — for long-term espionage operations.

Silk Typhoon Overlap

Mandiant assesses that UNC6201 shares characteristics with Silk Typhoon (also tracked as UNC5221 by some researchers), a Chinese state-backed espionage crew known for:

• Exploitation of zero-day vulnerabilities in enterprise appliances
• Targeting US government agencies and federal networks
• Long-dwell-time intrusions (months to years)
• Focus on virtualization technologies (VMware, Citrix, F5)
• Previous exploitation of Ivanti zero-days

The Broader Campaign Picture

This isn't a one-off attack. The Dell RecoverPoint zero-day fits into a documented, multi-year PRC-linked espionage campaign against Western critical infrastructure:

• September 2025: Google first warned about BRICKSTORM in dozens of critical US networks
• December 2025: CISA and CrowdStrike warned that Chinese attackers were targeting VMware environments using BRICKSTORM
• February 2026: CISA warned that China remains embedded in US energy networks "for the purpose of taking it down"
• February 18, 2026: Dell patches CVE-2026-22769; Mandiant discloses 18+ months of exploitation
• February 20, 2026: CISA adds to KEV with 3-day deadline — today

CISA's Nick Andersen said in December: "State-sponsored actors are not just infiltrating networks. They're embedding themselves to enable long term access, disruption, and potential sabotage." CVE-2026-22769 is a textbook example of exactly that.

Scope of Compromise

Mandiant currently knows of fewer than a dozen confirmed victims. But Rich Reece, Mandiant Consulting Manager at Google Cloud, is careful to note: "Because the full scale of this campaign is unknown, we recommend that organizations previously targeted by BRICKSTORM look out for GRIMBOLT in their environments. We anticipate additional companies will find active or historic compromises as they begin hunting using the new IOCs/YARA rules we published."

Translation: the confirmed number is almost certainly the floor, not the ceiling. UNC6201 has had 18+ months of undetected access across an unknown number of organizations. Confirmed targets were concentrated in North America, spanning:

• Government agencies
• Critical infrastructure operators
• Defense sector organizations
• Energy sector

The actor deliberately targeted edge appliances without EDR coverage — meaning standard endpoint detection tools would never see the compromise. If you're only hunting for threats on your Windows and Linux servers, you're looking in the wrong place.

CISA's 3-Day Deadline: What It Actually Means

CISA's Known Exploited Vulnerabilities (KEV) catalog is not a suggestion list. Under Binding Operational Directive 22-01, all civilian federal agencies must remediate KEV entries within the specified timeframe. For CVE-2026-22769, that deadline is February 21, 2026 — tomorrow.

The three-day deadline (instead of the more common 14 or 21 days) signals that CISA considers this an actively dangerous, immediately actionable threat. The agency used the same compressed timeline just last week for the BeyondTrust RCE (CVE-2026-1731, CVSS 9.9).

For non-federal organizations, the KEV catalog is still the strongest available signal for patch prioritization. When CISA says "patch within 3 days," the private sector should be asking "why aren't we patching within 3 days too?"

Immediate Remediation Steps

Dell's security advisory DSA-2026-079 provides the official remediation path. The target version is 6.0.3.1 HF1. Depending on your current version:

Upgrade Paths

• Version 5.3 SP4 P1: Migrate to RecoverPoint for VMs 6.0 SP3, then upgrade to 6.0.3.1 HF1
• Versions 6.0 through 6.0 SP3 P1: Upgrade directly to 6.0.3.1 HF1
• Versions 5.3 SP4, SP3, SP2, and earlier: Upgrade to 5.3 SP4 P1 first, or go directly to a 6.x version, then apply HF1

Network Isolation (Interim Mitigation)

If immediate patching isn't possible, Dell recommends deploying RecoverPoint for VMs within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation. The appliance is not intended for exposure to untrusted or public networks — if yours is exposed, restrict access immediately.

Compromise Assessment

Given 18+ months of potential exploitation before disclosure, patching alone isn't sufficient if you've been running a vulnerable version. Run a compromise assessment:

1. Review Tomcat Manager access logs for requests using the admin username
2. Audit deployed WAR files in Tomcat — check for unexpected or recently added applications
3. Inspect convert_hosts.sh and rc.local for unexpected modifications
4. Hunt for GRIMBOLT IOCs and YARA rules published by Mandiant/Google Threat Intelligence Group
5. Review ESXi logs for unexpected virtual NIC creation/deletion events
6. Check for newly created domain or local administrator accounts
7. Scan for C# native AOT-compiled binaries in unexpected locations

Detection and Threat Hunting

This is where the work gets interesting for blue teamers and incident responders.

Key Indicators of Compromise

Mandiant and the Google Threat Intelligence Group published IOCs and YARA rules alongside their disclosure. The full list is available in their threat intelligence report. Key hunting indicators include:

• Tomcat Manager admin logins — especially from non-management IPs
• Unexpected WAR file deployments — look for non-standard application names
• Modifications to convert_hosts.sh — file hash comparison against known-good
• C2 traffic patterns matching BRICKSTORM/GRIMBOLT infrastructure
• Ghost NIC creation events in vSphere API/management logs
• 60-second database modifications to the admin account hash (look for paired write/restore events in database audit logs)
• UPX-packed C# native binaries in appliance file paths

Detection Tools

For hunting across your network estate:

• Cortex Xpanse — Palo Alto Networks has confirmed it can detect exposed CVE-2026-22769 instances; 10,600+ vulnerable instances were identified at disclosure
• Mandiant YARA rules — For GRIMBOLT and BRICKSTORM detection on the appliance filesystem
• vSphere API logging — Enable comprehensive logging of virtual hardware changes including NIC add/remove events
• Network anomaly detection — Look for unexpected traffic originating from the RecoverPoint management IP to internal VMs

Bug Hunter Angle: Hardcoded Credentials in Enterprise Appliances

CVE-2026-22769 is a reminder that one of the oldest, most boring vulnerability classes — hardcoded credentials (CWE-798) — keeps appearing at CVSS 10.0 in enterprise products because vendors continue to ship them and organizations continue to deploy them without baseline hardening.

Why Hardcoded Credentials Keep Happening

From a vendor engineering perspective, hardcoded defaults are usually a convenience decision: "We'll document this in the setup guide and customers will change it." The reality: many don't. When a disaster recovery appliance sits in a management VLAN with limited external exposure, changing default credentials often falls off the post-deployment checklist.

Hunting for Hardcoded Credentials in Bug Bounty Programs

Enterprise appliances — VPN gateways, backup systems, hyperconverged infrastructure controllers, storage arrays — are increasingly in scope for corporate bug bounty programs. Techniques for finding hardcoded credential issues:

• Firmware extraction: Many appliances expose downloadable firmware packages. Extracting and analyzing embedded configuration files, startup scripts, and binaries can reveal hardcoded credentials before they're exploited
• String analysis: Static analysis of extracted binaries for credential patterns (Base64-encoded strings, plaintext passwords in config parsers)
• Authentication endpoint fuzzing: For appliances with known management interfaces (Tomcat, nginx, IIS), test documented default credentials against the real deployment
• Documentation review: Vendor setup guides and default configuration docs sometimes list default credentials that organizations never change
• Container/OVA analysis: Virtual appliances distributed as OVFs or OVAs can be imported locally for analysis before deployment

The BeyondTrust RCE (CVE-2026-1731, CVSS 9.9) disclosed just two weeks ago is conceptually related — another enterprise remote management product with a fundamental authentication failure. There's a pattern here worth following for researchers focusing on enterprise targets.

Resources for Learning Enterprise Appliance Security Testing

The Web Application Hacker's Handbook remains the definitive reference for understanding authentication vulnerabilities, credential management flaws, and management interface security testing — the technical foundations behind findings like CVE-2026-22769:

For hands-on practice with the types of network service vulnerabilities underlying this campaign:

For infrastructure and network-level testing skills relevant to appliance security research:

And for understanding the network tradecraft that made Ghost NICs possible:

Essential Tools for Your Defense Stack

If CVE-2026-22769 has prompted a broader review of your enterprise appliance security posture, here are the tools that matter:

• Asset Inventory: You can't patch what you don't know you have. Run a full inventory of enterprise appliances in your environment — not just servers and endpoints
• Privileged Access Management: Tools like CyberArk or BeyondTrust PAM (ironic timing) enforce credential rotation policies that prevent hardcoded defaults from persisting
• Network Detection and Response (NDR): Products like Darktrace, ExtraHop, or Vectra can detect the anomalous lateral movement patterns associated with Ghost NICs
• vSphere Monitoring: VMware vRealize Log Insight or third-party tools like Splunk with vSphere integration can alert on unexpected virtual hardware changes
• Vulnerability Management: Ensure your scanner has coverage for enterprise appliances, not just traditional endpoints. Qualys and Tenable both have RecoverPoint checks available post-disclosure

The Bottom Line

CVE-2026-22769 is the full package of enterprise nightmare: maximum CVSS score, 18 months of undetected exploitation, a sophisticated China-state-linked threat actor, novel VMware evasion techniques, and a CISA mandate to patch within three days of disclosure.

If you run Dell RecoverPoint for Virtual Machines, your action items are clear:

1. Patch to 6.0.3.1 HF1 immediately — do not wait for the next change window
2. Isolate the appliance from public/untrusted networks during patching as an interim control
3. Conduct a compromise assessment — 18 months of potential exposure means patching without checking is not sufficient
4. Hunt for GRIMBOLT if you were previously targeted by BRICKSTORM
5. Review ESXi management logs for Ghost NIC creation events

For everyone else: this is a sharp reminder that your disaster recovery infrastructure is a high-value target with direct access to your most critical data. Hardcoded credentials, unmonitored management interfaces, and appliances without EDR coverage are the attack surface that state-sponsored actors are actively hunting.

The Ghost NICs technique alone should prompt every VMware shop to review what other appliances have privileged access to their ESXi management plane — and whether any of them have similar authentication weaknesses waiting to be found.

Frequently Asked Questions

Is Dell RecoverPoint Classic affected by CVE-2026-22769?

No. CVE-2026-22769 only affects Dell RecoverPoint for Virtual Machines. The physical appliance version (RecoverPoint Classic) is not vulnerable to this specific hardcoded credential flaw.

I patched the BRICKSTORM backdoor previously. Am I still at risk?

Possibly. UNC6201 began replacing BRICKSTORM with GRIMBOLT in September 2025. If you remediated BRICKSTORM without fully re-imaging the RecoverPoint appliance, GRIMBOLT may still be present. Mandiant explicitly warns organizations previously targeted by BRICKSTORM to hunt for GRIMBOLT using the newly published IOCs and YARA rules.

What's the Ghost NIC technique and how do I detect it?

Ghost NICs are temporary virtual network interfaces created on ESXi-hosted VMs through the vSphere API, used for covert lateral movement after gaining privileged access to the RecoverPoint appliance. They're deleted after use to minimize forensic traces. Detection requires comprehensive logging of vSphere management API calls, specifically virtual hardware add/remove events, ideally with a SIEM integration that can alert on unexpected NIC changes to running VMs.

Should non-federal organizations follow CISA's 3-day deadline?

The federal mandate only legally applies to civilian agencies. However, the threat actor (UNC6201) doesn't limit its operations to government targets — the confirmed victims include financial services, technology, and healthcare organizations. Given confirmed active exploitation and the sensitivity of what RecoverPoint accesses, treating this with the same urgency as federal agencies is the right call for any organization running the affected product.