UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported active zero-day exploitation of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, CVE-2026-22769 (CVSS 10.0), attributed to UNC6201, a suspected PRC-nexus threat cluster. The flaw is described as a hardcoded-credential issue affecting versions prior to 6.0.3.1 HF1, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish root-level persistence; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory.
Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including SLAYSTYLE, BRICKSTORM, and a newly identified backdoor, GRIMBOLT. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating “Ghost NICs” on VMware ESXi for stealthy network movement and using iptables for Single Packet Authorization (SPA); initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Related Entities
Threat Actors
Affected Products
Sources
5 more from sources like thecyberexpress com vulnerabilities, runzero blog, cyber security news, mandiant threat intelligence and cyberscoop
Related Stories
UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
**Mandiant/Google Threat Intelligence Group (GTIG)** reported active exploitation of a **Dell RecoverPoint for Virtual Machines (RP4VM)** zero-day, **CVE-2026-22769** (rated **CVSS 10.0**), attributed to suspected PRC-nexus activity tracked as **UNC6201**. The flaw is described as a **hardcoded credential** condition that can enable **unauthenticated remote access**, **OS-level control**, and **root-level persistence**, with follow-on activity aimed at persistence and lateral movement into **VMware** environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via **CISA’s Known Exploited Vulnerabilities (KEV)** signaling referenced through NVD enrichment. The incident underscores elevated risk when adversaries compromise **backup and recovery infrastructure**, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including **BRICKSTORM** and **GRIMBOLT** (and related mentions of **SLAYSTYLE**) in post-compromise operations, while noting that the **initial access vector was not definitively confirmed** beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
2 weeks ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
3 weeks ago
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago