Critical zero-day vulnerability is being actively exploited in Dell RecoverPoint

The flaw, tracked as CVE-2026-22769, has a maximum CVSS score of 10.0 (Critical) and has been exploited since at least mid-2024.

Incident response investigations link the activity to UNC6201, a China-linked threat cluster. The group shares overlaps with Silk Typhoon (UNC5221).

Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) observed attackers using this vulnerability to move laterally across networks, maintain long-term persistence, and deploy advanced malware.

The malware used in attacks includes SLAYSTYLE (web shell), BRICKSTORM (backdoor), and GRIMBOLT (new backdoor).

Although the initial entry method is still unknown, UNC6201 commonly targets edge devices such as VPN appliances to gain access.

What Caused the Vulnerability?

The issue is due to hardcoded default admin credentials inside Dell RecoverPoint’s Apache Tomcat Manager configuration.

The credentials were found in:

/home/kos/tomcat9/tomcat-users.xml

Because of this, unauthenticated remote attackers can log into the Tomcat Manager.

Tomcat Manager allows software deployment and administrative tasks. Attackers abused the /manager/text/deploy endpoint to upload malicious WAR files.

In real attacks, this was used to deploy the SLAYSTYLE web shell, giving attackers root-level command execution on the appliance.

Shift to GRIMBOLT Malware

In September 2025, attackers moved from using BRICKSTORM to a new malware called GRIMBOLT.

GRIMBOLT is written in C#, compiled using Native Ahead-of-Time (AOT), does not include Common Intermediate Language (CIL) metadata, and is packed with UPX.

AOT compilation converts code directly into machine-native code during build time. This makes detection harder because traditional security tools often scan CIL metadata.

To stay persistent, attackers modify the legitimate convert_hosts.sh script so the backdoor runs automatically at boot through rc.local.

Advanced Network Evasion

UNC6201 also uses advanced stealth techniques.

Attackers create temporary hidden network interfaces inside ESXi virtual machines, known as “Ghost NICs.” This allows silent movement between internal networks and SaaS infrastructure without triggering monitoring tools.

They also use Single Packet Authorization (SPA). Attackers monitor traffic on port 443 for a specific hexadecimal string. When detected, the source IP is added to an allowlist. Only that IP can access port 10443, while all other traffic is redirected silently. This hides the command-and-control (C2) channel from scanners and security tools.

Vulnerability Details

Affected Versions & Required Actions

Dell has issued urgent mitigation guidance.

Indicators of Compromise (IOCs)