Dell RecoverPoint Vulnerability Exploited for Two Years (CVE-2026-22769)

THE THREAT

On February 17th, 2026, Dell disclosed a maximum severity zero-day vulnerability in Dell RecoverPoint for Virtual Machines. The vulnerability, tracked as CVE-2026-22769 (CVSS: 10), is due to hard coded credentials. A threat actor with knowledge of the credentials could exploit the vulnerability to enable remote access and root-level persistence.

CVE-2026-22769 is reported to have been under active exploitation since at least mid-2024. Real-world attacks are attributed to the People's Republic of China (PRC) associated threat cluster, UNC6201. In observed attacks, the vulnerability was exploited to "move laterally, maintain persistent access, and deploy malware".

As this maximum severity vulnerability is under active exploitation, it is critical that organizations update to a secure version of Dell RecoverPoint immediately.

What we're doing about it

• New MDR for Network detections have been created to identify activity reported by Mandiant and Google
• Threat hunts for known Indicators of Compromise are underway
• Known malicious infrastructure is blocked via the eSentire Global Block List
• eSentire MDR for Network has rules in place to identify BRICKSTORM malware
• eSentire Managed Vulnerability Service (MVS) will add the relevant plugins for CVE-2026-22769 as they become available
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

• After performing a business impact review apply the relevant update provided by Dell (6.0.3.1 HF1)
• If updating is not immediately possible, apply the remediation script
  • The script will need to be run manually again for any newly deployed or reimaged devices

Additional information

Dell RecoverPoint for Virtual Machines is a cyber resilience software, meant to enable quick recovery and disaster mitigation. This service would be highly valuable for a sophisticated threat actor, due to the data it holds and its widespread access.

Only minimal information is publicly available for UNC6201, but the threat cluster overlaps with UNC5221, another activity cluster which has been associated with the known Chinese APT Silk Typhoon. According to Mandiant and Google Threat Intelligence Group (GTIG) researchers, the initial access vector used in real-world attacks has not been identified at the time of writing. UNC6201 has previously targeted Internet-facing applications such as VPNs to gain access to victim organizations.

Following initial access and exploitation of CVE-2026-22769, UNC6201 was observed deploying three different backdoors to enable persistent access:

• SLAYSTYLE (aka BEEFLUSH): a JavaServer Pages (JSP) webshell that functions as a backdoor
• BRICKSTORM: a backdoor written in Go with support for Linux and BSD-based systems and built in SOCKS proxy functionality
• GRIMBOLT: a backdoor written in C# designed to perform efficiently on devices with minimal resources and also be difficult to analyze statically

Victim organizations and industries have not been disclosed at this time, but BRICKSTORM malware has previously impacted organizations in the Information Technology (IT) and Government Services/Facilities sectors.

Impacted Versions:

• 5.3 SP4 P1
• 6.0
• 6.0 SP1
• 6.0 SP1 P1
• 6.0 SP1 P2
• 6.0 SP2
• 6.0 SP2 P1
• 6.0 SP3
• 6.0 SP3 P1

References:
[1] https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-22769
[3] https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/
[4] https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa
[5] https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-targets-ivanti-zero-day/
[6] https://attack.mitre.org/groups/G0125/
[7] https://www.cisa.gov/news-events/analysis-reports/ar25-338a