Dell recently put out an advisory and security update for CVE-2026-22769, a critical vulnerability in many versions of Dell RecoverPoint for Virtual Machines. The flaw has been actively exploited in the wild since mid-2024, with attribution to UNC6201. This vulnerability, which can enable unauthenticated remote actors to establish persistence, highlights the strategic importance of disaster recovery platforms.
The Vulnerability: Hardcoded Credentials in a Resilience Platform
The flaw is a hardcoded credential issue affecting Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1. It was identified by Mandiant and Google Threat Intelligence Group (GTIG) researchers and subsequently reported to Dell. Attackers with knowledge of the hardcoded credentials can take advantage of the flaw to obtain unauthorized access and root-level persistence on the operating system.
Patch guidance directs customers to update the software to version 6.0.3.1 HF1 or later to fix the vulnerability. Dell has also provided instructions for running a nondisruptive script on each appliance in the RecoverPoint for Virtual Machines system to remediate the flaw.
Design-level flaws like this are more dangerous than misconfigurations, requiring more effort to remediate than simply adjusting a setting. “Exploiting it requires no novel technique,” says Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs. “It requires knowing a password that shipped with the product. That is about as simple as a vulnerability gets and certainly not something that takes years of research to exploit.”
Targeting Resilience: A Strategic Shift
RecoverPoint serves a significant role in VMware environments, highlighting the critical nature of this vulnerability. Many organizations rely on RecoverPoint to enable VMware virtual machine recovery with continuous data protection and integration. Attacks targeting this infrastructure can have severe consequences for organizations and their systems.
Attackers obtaining privileged positioning within virtualized infrastructure can use their access to achieve lateral movement, maintain persistence, and even deploy malware. This vulnerability is also part of a larger trend of attacks targeting backup and recovery systems, which can cause severe damage to an organization.
Who Is UNC6201?
The disclosure of this vulnerability by GTIG is the first public mention of the threat group UNC6201, a suspected China-linked threat cluster leveraging lateral movement and persistent access to deploy malware. The group has overlapping tactics and potential ties to UNC5221, also known as Silk Typhoon, although they are not considered to be the same cluster at this time.
The group’s tactics show a pattern of extended dwell times within targeted systems, as well as a history of using BRICKSTORM malware. While the initial access vector is unknown, the group has been known to aim for edge appliances like VPN concentrators. UNC6201 is believed to have been exploiting this flaw since mid-2024, deploying several types of malware, including the SLAYSTYLE web shell and BRICKSTORM and GRIMBOLT backdoors.
Malware Evolution: From BRICKSTORM to GRIMBOLT
Beginning in September 2025, Mandiant’s analysis of RecoverPoint for Virtual Machines uncovered BRICKSTORM binaries being replaced with GRIMBOLT, a C# backdoor that uses native ahead-of-time (AOT) compilation and UPX packing. It enables remote shell functions using the same command and control methods as the previously-used BRICKSTORM. The shift in malware could potentially be due to planned lifecycle evolution or a response to defense efforts.
In order to evade security measures and maintain persistence, GRIMBOLT is designed with particular features intended to complicate static analysis and improve the malware’s performance on appliances with fewer resources. The evolution of tactics from relying on BRICKSTORM to using GRIMBOLT makes detection and analysis more difficult for defenders.
The Zero-Day Feedback Loop
While threat intelligence and zero-day disclosures are vital for defenders, they can also create further security challenges when threat actors exploit information, even if it isn’t made public. There has been prior reporting that UNC5221 (Silk Typhoon) may use stolen data to identify new zero-days, creating a cycle of zero-day exploitation. It is unclear at this time whether CVE-2026-22769 was derived this way, but it is a possibility.
There is an enhanced strategic risk of vulnerability discovery enabled by threat intelligence, as bad actors can manipulate discoveries to enable further threat action. This leads to a compounding attacker advantage over time, creating a gap that organizations and defenders struggle to close.
What This Means for Enterprise Security
The discovery of this flaw highlights the fact that disaster recovery systems are the crown jewels of an organization, highly prized by threat actors. Infrastructure tooling is providing an expanding attack surface, often with insufficient visibility and monitoring. This makes these areas more difficult to protect and easier to attack, presenting a prime target for bad actors.
This vulnerability and its exploitation demonstrate the importance of patch management and monitoring capabilities. It is also crucial to re-evaluate the trust placed in embedded credentials to avoid issues like this vulnerability, causing harm in the future. “A vulnerability can be fixed in a single update. The exposure created by over-privileged infrastructure components often takes far more deliberate work to unwind,” according to Vishal Agarwal, CTO, Averlon. “That is the gap security teams need to close systematically, not just reactively.”
Resilience as the New Battleground
This flaw is not an isolated incident, but a systemic issue that is much larger than a single vendor. Espionage campaigns are relying on the increasingly normalized use of zero-days to enable infiltration and persistence. The vulnerability in RecoverPoint for Virtual Machines emphasizes the vital demand for defensive visibility into management-plane systems.
