UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported active zero-day exploitation of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, CVE-2026-22769 (CVSS 10.0), attributed to UNC6201, a suspected PRC-nexus threat cluster. The flaw is described as a hardcoded-credential issue affecting versions prior to 6.0.3.1 HF1, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish root-level persistence; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory.
Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor, GRIMBOLT. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating “Ghost NICs” on VMware ESXi for stealthy network movement and using iptables for Single Packet Authorization (SPA); initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
CISA orders U.S. federal agencies to patch Dell bug
After confirming exploitation, CISA ordered U.S. federal civilian agencies to remediate CVE-2026-22769 by Saturday. The directive highlighted the urgency because RecoverPoint for Virtual Machines operates with elevated privileges and deep access to virtualized infrastructure.
Canadian Centre for Cyber Security urges patching
The Canadian Centre for Cyber Security issued advisory AV26-138 referencing Dell's February 17 security update and warning that CVE-2026-22769 was being actively exploited in the wild. It urged administrators to review Dell's advisory and apply the necessary updates.
Detection guidance and IOCs for the campaign are released
Public reporting on the campaign included indicators of compromise, YARA rules, file paths, hashes, and other technical details to help defenders identify BRICKSTORM and GRIMBOLT activity. Researchers warned that prior BRICKSTORM victims should also hunt for the newer GRIMBOLT backdoor.
Mandiant and GTIG publish attribution and technical findings
Google Threat Intelligence Group and Mandiant publicly reported that UNC6201 had exploited the Dell zero-day since mid-2024 and linked the activity to broader PRC-nexus operations with overlap to UNC5221. Their reporting detailed malware used in the campaign, persistence methods, and VMware-focused tradecraft including Ghost NICs.
CVE-2026-22769 is publicly cataloged as a critical flaw
Public vulnerability records described CVE-2026-22769 as a CVSS 10.0 hardcoded credential issue affecting Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. The record noted that unauthenticated attackers who know the credential could gain OS access and establish root persistence.
Dell discloses and patches CVE-2026-22769
Dell published advisory DSA-2026-079 for CVE-2026-22769, a critical hardcoded-credential vulnerability in RecoverPoint for Virtual Machines, and released fixed versions including 6.0.3.1 HF1. Dell said the issue had seen limited active exploitation and urged customers to upgrade or apply mitigations immediately.
UNC6201 replaces BRICKSTORM with GRIMBOLT
By September 2025, investigators observed UNC6201 replacing older BRICKSTORM implants with a newer C# backdoor called GRIMBOLT. GRIMBOLT reused some BRICKSTORM command-and-control infrastructure while aiming to be harder to detect and reverse engineer.
Attackers use SLAYSTYLE and BRICKSTORM after initial compromise
Following exploitation, UNC6201 used Tomcat Manager access to upload a malicious WAR file containing the SLAYSTYLE web shell and deployed BRICKSTORM to maintain access in victim environments. The campaign also involved persistence changes to legitimate boot-time scripts and stealthy VMware pivoting techniques such as temporary 'Ghost NICs'.
UNC6201 begins exploiting Dell RecoverPoint zero-day
Mandiant and Google assessed that the China-linked cluster UNC6201 started exploiting the Dell RecoverPoint for Virtual Machines flaw later assigned CVE-2026-22769 as a zero-day since at least mid-2024. The bug allowed unauthenticated access via a hardcoded credential and enabled root-level persistence on affected appliances.
Sources
22 references tracked. Mallory keeps watching after this page renders.
China-linked UNC6201 exploits 10.0 bug in Dell RecoverPoint for VMs since mid-2024 | news | SC Media
scworld.com
Open sourceDell security advisory (AV26-138) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceUNC6201 Exploits Dell RecoverPoint Zero-Day
ampcuscyber.com
Open sourceBackdoor in Backup: UNC6201 Exploits RecoverPoint Zero-Day to Deploy GRIMBOLT - SecPod Blog
secpod.com
Open sourceUNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day | Google Cloud Blog | Charles Carmakal
linkedin.com
Open sourceCVE-2026-22769 - Dell RecoverPoint for Virtual Machines Hardcoded Credential Remote Authentication Bypass
cvefeed.io
Open sourceChinese hackers exploiting Dell zero-day flaw since mid-2024
bleepingcomputer.com
Open sourceDSA-2026-079: Security Update for RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability | Dell US
dell.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
**Mandiant/Google Threat Intelligence Group (GTIG)** reported active exploitation of a **Dell RecoverPoint for Virtual Machines (RP4VM)** zero-day, **CVE-2026-22769** (rated **CVSS 10.0**), attributed to suspected PRC-nexus activity tracked as **UNC6201**. The flaw is described as a **hardcoded credential** condition that can enable **unauthenticated remote access**, **OS-level control**, and **root-level persistence**, with follow-on activity aimed at persistence and lateral movement into **VMware** environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via **CISA’s Known Exploited Vulnerabilities (KEV)** signaling referenced through NVD enrichment. The incident underscores elevated risk when adversaries compromise **backup and recovery infrastructure**, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including **BRICKSTORM** and **GRIMBOLT** (and related mentions of **SLAYSTYLE**) in post-compromise operations, while noting that the **initial access vector was not definitively confirmed** beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
Mar 21, 2026
UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day
Google-owned Mandiant reported that threat actor **UNC6201** exploited a previously unknown vulnerability in **Dell RecoverPoint for Virtual Machines (RP4VM)**, giving attackers a path into enterprise recovery infrastructure. The activity was described as zero-day exploitation targeting software used for disaster recovery and replication, a high-value foothold because it can provide broad visibility into protected virtual environments and potentially enable follow-on access across connected systems. Reporting on the incident said the flaw was actively abused before a fix was available, underscoring the risk to organizations running Dell RP4VM in production. The disclosures highlight how attackers are increasingly targeting backup, recovery, and virtualization management platforms because compromise of those systems can undermine resilience efforts, expand lateral movement opportunities, and complicate incident response during a broader intrusion.
May 25, 2026
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
Mar 21, 2026