A maximum-severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-linked threat cluster known as UNC6201 since mid-2024, according to a new report from Google Mandiant and the Google Threat Intelligence Group (GTIG).
This activity involves exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hardcoded credentials affecting versions prior to 6.0.3.1 HF1. No other products, including RecoverPoint Classic, are vulnerable to this flaw.
“This is considered important because an unauthenticated, remote attacker with knowledge of hard-coded credentials could exploit this vulnerability to gain unauthorized access to the underlying operating system or gain root-level persistence,” Dell said in a security bulletin published Tuesday.
This issue affects the following products:
RecoverPoint for Virtual Machines version 5.3 SP4 P1 – Migrate from RecoverPoint for Virtual Machines 5.3 SP4 P1 to 6.0 SP3 and then upgrade to 6.0.3.1 HF1 RecoverPoint for Virtual Machines versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 – 6.0.3.1 HF1 RecoverPoint for Virtual Machines Upgrading to versions 5.3 SP4, 5.3 SP3, 5.3 SP2 and earlier – Upgrade to version 5.3 SP4 P1 or 6.x versions and apply any required remediation.
“Dell recommends deploying RecoverPoint for Virtual Machines within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation.” “RecoverPoint for Virtual Machines is not intended for use on untrusted or public networks.”
According to Google, the hard-coded credentials are related to the “admin” user on the Apache Tomcat Manager instance, which is used to authenticate to the Dell RecoverPoint Tomcat Manager, which can upload a web shell named SLAYSTYLE via the “/manager/text/deploy” endpoint and run commands as root on the appliance to remove the BRICKSTORM backdoor and its new version called GRIMBOLT.
“This is a C# backdoor compiled using native AOT (Ahead-of-Time) compilation, making it difficult to reverse engineer,” added Mandiant’s Charles Carmakal.
Google told The Hacker News that the campaign is targeting organizations across North America, and that GRIMBOLT has built-in capabilities to successfully evade detection and minimize forensic footprint on infected hosts. “GRIMBOLT is even better at integrating with the system’s own native files,” he added.
UNC6201 is assessed to be a duplicate of UNC5221, another China-aligned espionage cluster known for exploiting virtualization technology and Ivanti zero-day vulnerabilities to distribute web shells and malware families such as BEEFLUSH, BRICKSTORM, and ZIPLINE.
Despite their tactical similarities, the two clusters are currently assessed as distinct. It is also worth noting that the use of BRICKSTORM has been linked by CrowdStrike to a third China-aligned adversary being tracked as Warp Panda for attacks targeting US companies.
A notable aspect of the latest round of attacks revolves around UNC6201’s reliance on temporary virtual network interfaces (referred to as “ghost NICs”) to migrate from compromised virtual machines to internal or SaaS environments and then remove these NICs to cover its tracks in order to thwart investigative efforts.
“Similar to previous BRICKSTORM campaigns, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents and remain undetected for long periods of time,” Google said.
Exactly how initial access is gained is still unknown, but similar to UNC5221, it is also known to target edge appliances to infiltrate target networks. Analysis of the compromised VMware vCenter appliance also revealed iptable commands that are executed using a web shell to perform the following sequence of actions:
Monitor incoming traffic on port 443 for specific hex strings. Add the source IP address of that traffic to the list. If your IP address is on the list and you are connecting to port 10443, your connection will be accepted. If the IP is on the approved list, silently redirects subsequent traffic from port 443 to port 10443 for the next 300 seconds (5 minutes).
The threat actor was also found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025. GRIMBOLT also provides remote shell functionality and uses the same command and control (C2) as BRICKSTORM, but it is unclear what prompted the transition to harder-to-detect malware, whether it was a planned transition, or in response to public disclosures regarding BRICKSTORM.
“Nation-state threat actors continue to target systems that typically do not support EDR solutions, making it much harder for victim organizations to notice security breaches and significantly increasing the dwell time of intrusions,” Carmakal said.
The disclosure comes as Dragos warned of attacks by Chinese groups like Bolt Typhoon (also known as Voltuzite) that compromised Sierra Wireless Airlink Gateways in the electric, oil and gas sector, then moved on to target engineering workstations and dump configuration and alarm data.
According to the cybersecurity company, this activity took place in July 2025. The hacking team is said to have gained initial access from Sylvanite and will rapidly weaponize vulnerabilities in edge devices before they can be patched, cutting off access to deeper operational technology (OT) penetrations.
“Voltzite went beyond data leaks to directly interact with engineering workstations to investigate what could trigger a process outage,” Dragos said. “This means that the last practical barrier between having access and causing physical impact is removed. Cellular gateways bypass traditional security controls and create an unauthorized path into the OT network.”
Source link
