CVE-2026-22769
published 2026-02-17CVE-2026-22769: Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an…
PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-02-21
Exploited in the wild
EPSS
13.13%
95.9th percentile
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | recoverpoint_for_virtual_machines | < 6.0 | 6.0 |
| dell | recoverpoint_for_virtual_machines | — | — |
| dell | recoverpoint_for_virtual_machines | >= 5.3 SP4 P1 < 6.0.3.1 HF1 | 6.0.3.1 HF1 |
| dell | recoverpoint_for_virtual_machines | >= 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 < 6.0.3.1 HF1 | 6.0.3.1 HF1 |
Detection & IOCsextracted from sources · hover to see the quote
commandiptables -A port_filter -i eth0 -p tcp --dport 10443 --syn -m recent --rcheck --name ipt -j ACCEPT↗
commandiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 --syn -m recent --rcheck --name ipt --seconds 300 -j IPT↗
yara↗
rule G_APT_BackdoorToehold_GRIMBOLT_1
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 }
$s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 }
$s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 }
$s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 65 00 6C 00 66 00 2F 00 65 00 78 00 65 }
condition:
(uint32(0) == 0x464c457f) //linux
and all of ($s*)
}yara↗
rule G_Hunting_BackdoorToehold_GRIMBOLT_1
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = "[!] Error : Plexor is nul" ascii wide
$s2 = "port must within 0~6553" ascii wide
$s3 = "[*] Disposing.." ascii wide
$s4 = "[!] Connection error. Kill Pty" ascii wide
$s5 = "[!] Unkown message type" ascii wide
$s6 = "[!] Bad dat" ascii wide
condition:
(
(uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or
uint32(0) == 0x464c457f or
uint32(0) == 0xfeedface or
uint32(0) == 0xcefaedfe or
uint32(0) == 0xfeedfacf or
uint32(0) == 0xcffaedfe or
uint32(0) == 0xfeedfacf or
uint32(0) == 0xcafebabe or
uint32(0) == 0xbebafeca or
uint32(0) == 0xcafebabf or
uint32(0) == 0xbfbafeca
) and any of them
}yara↗
rule G_APT_BackdoorWebshell_SLAYSTYLE_4
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$str1 = "<%@page import=\"java.io" ascii wide
$str2 = "Base64.getDecoder().decode(c.substring(1)" ascii wide
$str3 = "{\"/bin/sh\",\"-c\"" ascii wide
$str4 = "Runtime.getRuntime().exec(" ascii wide
$str5 = "ByteArrayOutputStream();" ascii wide
$str6 = ".printStackTrace(" ascii wide
condition:
$str1 at 0 and all of them
}- →Hunt for requests to the Tomcat Manager /manager endpoint in the Dell RecoverPoint audit log, which is stored at /home/kos/auditlog/fapi_cl_audit_log.log. Any such requests should be treated as suspicious. ↗
- →Look for WAR file uploads via PUT /manager/text/deploy?path=/&update=true in Tomcat Manager logs, indicating exploitation of CVE-2026-22769 to deploy a malicious WAR containing the SLAYSTYLE webshell. ↗
- →Inspect /home/kos/kbox/src/installation/distribution/convert_hosts.sh for unauthorized modifications; UNC6201 appended backdoor paths to this boot-time script (executed via rc.local) to establish BRICKSTORM/GRIMBOLT persistence. ↗
- →Detect Single Packet Authorization (SPA) iptables rules on vCenter appliances: look for rules monitoring port 443 for a specific HEX string and redirecting approved traffic to port 10443, a TTP executed via the SLAYSTYLE webshell. ↗
- →Monitor for creation of new temporary virtual network interfaces (Ghost NICs) on ESXi VMs, a novel UNC6201 technique used to pivot into internal and SaaS environments without triggering traditional network detection. ↗
- →GRIMBOLT is packed with UPX and compiled as a Native AOT .NET binary (C#); static analysis tools will not find standard CIL metadata. Use the provided YARA rules targeting binary byte patterns rather than string-based .NET detection. ↗
- →In Google SecOps, enable the following rule names to detect CVE-2026-22769 exploitation activity: 'Web Archive File Write To Tomcat Directory', 'Remote Application Deployment via Tomcat Manager', 'Suspicious File Write To Tomcat Cache Directory', and 'Kbox Distribution Script Modification'. ↗
- ·The hardcoded credential for the 'admin' user is stored in /home/kos/tomcat9/tomcat-users.xml. The username 'admin' with its hardcoded password is the direct exploitation vector; knowledge of this credential alone is sufficient for unauthenticated root access. ↗
- ·GRIMBOLT uses the same C2 infrastructure as previously deployed BRICKSTORM payloads; blocking BRICKSTORM C2 alone is insufficient if GRIMBOLT has already replaced it. Both families must be hunted independently. ↗
- ·The initial access vector for CVE-2026-22769 incidents was not confirmed; UNC6201 is known to target edge appliances such as VPN concentrators for initial access, so the Dell RecoverPoint compromise may be a second-stage pivot rather than the entry point. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c56r-fcf4-6rp2: Dell RecoverPoint for Virtual Machines, versions prior to 6
ghsa_unreviewed·2026-02-17
CVE-2026-22769 [CRITICAL] CWE-798 GHSA-c56r-fcf4-6rp2: Dell RecoverPoint for Virtual Machines, versions prior to 6
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.
VulnCheck
Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
vulncheck·2026·CVSS 10.0
CVE-2026-22769 [CRITICAL] CWE-798 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence.
Affected: Dell RecoverPoint for Virtual Machines (RP4VMs)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/; https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079; https://www.cisa.gov/
CISA
Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
cisa·2026-02-18·CVSS 10.0
CVE-2026-22769 [CRITICAL] CWE-798 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
Vulnerability: Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
Affected: Dell RecoverPoint for Virtual Machines (RP4VMs)
Dell RecoverPoint for Virtual Machines (RP4VMs) contains an use of hard-coded credentials vulnerability that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying operating system and root-level persistence.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079 ; https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa ; https://cloud.goog
No detection rules found.
No public exploits indexed.
Hackernews
VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
blogs_hackernews·2026-06-08
CVE-2026-22769 VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
A China-nexus cyber espionage group has been observed deploying a BSD variant of a known backdoor called BRICKSTORM, as well as two other malware families codenamed PLENET (aka GRIMBOLT ) and AGENTPSD to target Linux systems.
The activity has been attributed by Volexity to a threat cluster it tracks as VerdantBamboo , which it said overlaps with hacking groups known as Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike).
The cybersecurity company said it discovered the intrusion during an incident response engagement in September 2025,
Mandiant
vSphere and BRICKSTORM Malware: A Defender's Guide
blogs_mandiant·2026-04-02
vSphere and BRICKSTORM Malware: A Defender's Guide
## vSphere and BRICKSTORM Malware: A Defender's Guide
## Mandiant
## Mandiant Services
Stop attacks, reduce risk, and advance your security.
Written by: Stuart Carrera
## Introduction
Building on recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets.
By establishing persistence at the virtualization layer, threat actors operate beneath the guest operating system where traditional security protecti
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·2026-03-12·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
## February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026 . All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
APT28 exploits MSHTML fl
Checkpoint
23rd February – Threat Intelligence Report
blogs_checkpoint·2026-02-23
CVE-2023-27532 23rd February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
France’s Ministry of Economy has disclosed a data breach resulted from an unauthorized access to the national bank account registry FICOBA, impacting information tied to 1.2 million accounts. Exposed data includes names, addresses, account identifiers and, in some cases, tax-related identifiers. Officials said the intrus
Bleepingcomputer
CISA orders feds to patch actively exploited Dell flaw within 3 days
blogs_bleepingcomputer·2026-02-19·CVSS 10.0
CVE-2026-22769 [CRITICAL] CISA orders feds to patch actively exploited Dell flaw within 3 days
## CISA orders feds to patch actively exploited Dell flaw within 3 days
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems within three days against a maximum-severity Dell vulnerability that has been under active exploitation since mid-2024.
According to security researchers from Mandiant and the Google Threat Intelligence Group (GTIG), this hardcoded-credential vulnerability ( CVE-2026-22769 ) in Dell's RecoverPoint (a solution used for VMware virtual machine backup and recovery) is being exploited by a suspected Chinese hacking group tracked as UNC6201.
After gaining access to a victim's network in CVE-2026-22769 attacks, UNC6201 deploys several malware payloads, including a newly identified backdoor c
Mandiant
From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
blogs_mandiant·2026-02-17·CVSS 10.0
[CRITICAL] From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
## From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
## Mandiant
## Google Threat Intelligence Group
## Mandiant Services
Stop attacks, reduce risk, and advance your security.
Written by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece
## Introduction
Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines , tracked as CVE-2026-22769 , with a CVSSv3.1 score of 10.0 . Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware
Bleepingcomputer
Chinese hackers exploiting Dell zero-day flaw since mid-2024
blogs_bleepingcomputer·2026-02-17·CVSS 10.0
CVE-2026-22769 [CRITICAL] Chinese hackers exploiting Dell zero-day flaw since mid-2024
## Chinese hackers exploiting Dell zero-day flaw since mid-2024
## Sergiu Gatlan
A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024.
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG) revealed today that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as CVE-2026-22769 ) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
"Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability," Dell explains in a security advisory published on Tuesday.
"This is considered critical as an unauthenticated remote attack
Mandiant
UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
blogs_mandiant·2026-02-17·CVSS 10.0
[CRITICAL] UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
Threat Intelligence
# From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
February 17, 2026
##### Mandiant
##### Google Threat Intelligence Group
##### Mandiant Services
Stop attacks, reduce risk, and advance your security.
Contact Mandiant
Written by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece
### Introduction
Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0. Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to
Recorded Future
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
blogs_recorded_future·CVSS 7.7
[HIGH] February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January
# February 2026 CVE Landscape:13 Critical Vulnerabilities Mark 43% Drop from January
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a ‘Very Critical’ Recorded Future Risk Score.
What security teams need to know:
- Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
- Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
- APT28 exploits MSHTML
Wiz
CVE-2026-22769 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22769 [MEDIUM] CVE-2026-22769 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22769 :
RecoverPoint vulnerability analysis and mitigation
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.
Source : NVD
## 10
Score
Published February 17, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
RecoverPoint
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
2026-02-17
Published
2026-02-18
Added to CISA KEV
Exploited in the wild