cbcvebase.
CVE-2026-22769
published 2026-02-17

CVE-2026-22769: Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an…

PriorityP195critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-02-21
Exploited in the wild
EPSS
13.13%
95.9th percentile
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.

Affected

4 ranges
VendorProductVersion rangeFixed in
dellrecoverpoint_for_virtual_machines< 6.06.0
dellrecoverpoint_for_virtual_machines
dellrecoverpoint_for_virtual_machines>= 5.3 SP4 P1 < 6.0.3.1 HF16.0.3.1 HF1
dellrecoverpoint_for_virtual_machines>= 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 < 6.0.3.1 HF16.0.3.1 HF1

Detection & IOCsextracted from sources · hover to see the quote

hash24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
hashdfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591
hash92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
hashaa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
hash2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
hash320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
hash90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
hash45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
urlwss://149.248.11.71/rest/apisession
ip149.248.11.71
url/manager/text/deploy
path/home/kos/tomcat9/tomcat-users.xml
path/home/kos/auditlog/fapi_cl_audit_log.log
path/var/lib/tomcat9
path/var/cache/tomcat9/Catalina
path/var/log/tomcat9/
path/home/kos/kbox/src/installation/distribution/convert_hosts.sh
filenamesupport
filenameout_elf_2
filenamedefault_jsp.java
filenamesplisten
port10443
commandiptables -I INPUT -i eth0 -p tcp --dport 443 -m string --hex-string
commandiptables -A port_filter -i eth0 -p tcp --dport 10443 --syn -m recent --rcheck --name ipt -j ACCEPT
commandiptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 --syn -m recent --rcheck --name ipt --seconds 300 -j IPT
yara
rule G_APT_BackdoorToehold_GRIMBOLT_1
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 }
$s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 }
$s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 }
$s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 65 00 6C 00 66 00 2F 00 65 00 78 00 65 }
condition:
(uint32(0) == 0x464c457f) //linux
and all of ($s*)
}
yara
rule G_Hunting_BackdoorToehold_GRIMBOLT_1
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = "[!] Error : Plexor is nul" ascii wide
$s2 = "port must within 0~6553" ascii wide
$s3 = "[*] Disposing.." ascii wide
$s4 = "[!] Connection error. Kill Pty" ascii wide
$s5 = "[!] Unkown message type" ascii wide
$s6 = "[!] Bad dat" ascii wide
condition:
(
(uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or
uint32(0) == 0x464c457f or
uint32(0) == 0xfeedface or
uint32(0) == 0xcefaedfe or
uint32(0) == 0xfeedfacf or
uint32(0) == 0xcffaedfe or
uint32(0) == 0xfeedfacf or
uint32(0) == 0xcafebabe or
uint32(0) == 0xbebafeca or
uint32(0) == 0xcafebabf or
uint32(0) == 0xbfbafeca
) and any of them
}
yara
rule G_APT_BackdoorWebshell_SLAYSTYLE_4
{
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$str1 = "<%@page import=\"java.io" ascii wide
$str2 = "Base64.getDecoder().decode(c.substring(1)" ascii wide
$str3 = "{\"/bin/sh\",\"-c\"" ascii wide
$str4 = "Runtime.getRuntime().exec(" ascii wide
$str5 = "ByteArrayOutputStream();" ascii wide
$str6 = ".printStackTrace(" ascii wide
condition:
$str1 at 0 and all of them
}
  • Hunt for requests to the Tomcat Manager /manager endpoint in the Dell RecoverPoint audit log, which is stored at /home/kos/auditlog/fapi_cl_audit_log.log. Any such requests should be treated as suspicious.
  • Look for WAR file uploads via PUT /manager/text/deploy?path=/&update=true in Tomcat Manager logs, indicating exploitation of CVE-2026-22769 to deploy a malicious WAR containing the SLAYSTYLE webshell.
  • Inspect /home/kos/kbox/src/installation/distribution/convert_hosts.sh for unauthorized modifications; UNC6201 appended backdoor paths to this boot-time script (executed via rc.local) to establish BRICKSTORM/GRIMBOLT persistence.
  • Detect Single Packet Authorization (SPA) iptables rules on vCenter appliances: look for rules monitoring port 443 for a specific HEX string and redirecting approved traffic to port 10443, a TTP executed via the SLAYSTYLE webshell.
  • Monitor for creation of new temporary virtual network interfaces (Ghost NICs) on ESXi VMs, a novel UNC6201 technique used to pivot into internal and SaaS environments without triggering traditional network detection.
  • GRIMBOLT is packed with UPX and compiled as a Native AOT .NET binary (C#); static analysis tools will not find standard CIL metadata. Use the provided YARA rules targeting binary byte patterns rather than string-based .NET detection.
  • In Google SecOps, enable the following rule names to detect CVE-2026-22769 exploitation activity: 'Web Archive File Write To Tomcat Directory', 'Remote Application Deployment via Tomcat Manager', 'Suspicious File Write To Tomcat Cache Directory', and 'Kbox Distribution Script Modification'.
  • ·The hardcoded credential for the 'admin' user is stored in /home/kos/tomcat9/tomcat-users.xml. The username 'admin' with its hardcoded password is the direct exploitation vector; knowledge of this credential alone is sufficient for unauthenticated root access.
  • ·GRIMBOLT uses the same C2 infrastructure as previously deployed BRICKSTORM payloads; blocking BRICKSTORM C2 alone is insufficient if GRIMBOLT has already replaced it. Both families must be hunted independently.
  • ·The initial access vector for CVE-2026-22769 incidents was not confirmed; UNC6201 is known to target edge appliances such as VPN concentrators for initial access, so the Dell RecoverPoint compromise may be a second-stage pivot rather than the entry point.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.