UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
Mandiant/Google Threat Intelligence Group (GTIG) reported active exploitation of a Dell RecoverPoint for Virtual Machines (RP4VM) zero-day, CVE-2026-22769 (rated CVSS 10.0), attributed to suspected PRC-nexus activity tracked as UNC6201. The flaw is described as a hardcoded credential condition that can enable unauthenticated remote access, OS-level control, and root-level persistence, with follow-on activity aimed at persistence and lateral movement into VMware environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via CISA’s Known Exploited Vulnerabilities (KEV) signaling referenced through NVD enrichment.
The incident underscores elevated risk when adversaries compromise backup and recovery infrastructure, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including BRICKSTORM and GRIMBOLT (and related mentions of SLAYSTYLE) in post-compromise operations, while noting that the initial access vector was not definitively confirmed beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Dell publishes remediation guidance for affected RP4VM versions
Dell identified affected RecoverPoint for Virtual Machines versions and advised customers to upgrade to 6.0.3.1 HF1 and/or apply a remediation script. The company rated the hardcoded-credential flaw Critical with a CVSS score of 10.0 because it could enable unauthenticated remote access and root-level persistence.
CISA/NVD flag CVE-2026-22769 as actively exploited
The NVD record for CVE-2026-22769 was reported to reference a CISA Known Exploited Vulnerabilities catalog entry through CISA-ADP enrichment, signaling active exploitation concerns. This marked the Dell RecoverPoint RP4VM flaw as an exploited vulnerability requiring urgent attention.
UNC6201 exploits Dell RecoverPoint RP4VM zero-day in intrusions
Mandiant and Google Threat Intelligence Group reported that suspected PRC-linked cluster UNC6201 exploited a Dell RecoverPoint for Virtual Machines zero-day, CVE-2026-22769, during operations. The activity included persistence, lateral movement into VMware environments, and use of malware families including SLAYSTYLE, BRICKSTORM, and GRIMBOLT.
Security Affairs roundup highlights Dell RP4VM zero-day exploitation
Security Affairs included reporting on the UNC6201 exploitation of the Dell RecoverPoint for Virtual Machines zero-day in its Malware Newsletter Round 85. The mention reflected broader public dissemination of the incident within malware and threat-intelligence coverage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day
Google-owned Mandiant reported that threat actor **UNC6201** exploited a previously unknown vulnerability in **Dell RecoverPoint for Virtual Machines (RP4VM)**, giving attackers a path into enterprise recovery infrastructure. The activity was described as zero-day exploitation targeting software used for disaster recovery and replication, a high-value foothold because it can provide broad visibility into protected virtual environments and potentially enable follow-on access across connected systems. Reporting on the incident said the flaw was actively abused before a fix was available, underscoring the risk to organizations running Dell RP4VM in production. The disclosures highlight how attackers are increasingly targeting backup, recovery, and virtualization management platforms because compromise of those systems can undermine resilience efforts, expand lateral movement opportunities, and complicate incident response during a broader intrusion.
May 25, 2026
UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported **active zero-day exploitation** of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, **CVE-2026-22769** (CVSS 10.0), attributed to **UNC6201**, a suspected PRC-nexus threat cluster. The flaw is described as a **hardcoded-credential issue** affecting versions prior to `6.0.3.1 HF1`, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish **root-level persistence**; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory. Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including **SLAYSTYLE**, **BRICKSTORM**, and a newly identified backdoor, **GRIMBOLT**. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating **“Ghost NICs”** on VMware ESXi for stealthy network movement and using `iptables` for **Single Packet Authorization (SPA)**; initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Mar 20, 2026
VMware Workspace ONE Flaw CVE-2022-22954 Hit by Active Malware Campaigns
Attackers actively exploited **VMware Workspace ONE Access**, **Identity Manager**, and **vRealize Automation** flaws in the wild, with **`CVE-2022-22954`** emerging as the primary initial access vector. Palo Alto Networks Unit 42 said exploitation began shortly after VMware disclosed the issue, describing the bug as a trivial server-side template injection that can be triggered with a single HTTP request for remote code execution. The activity prompted a **CISA alert**, and researchers warned that related VMware flaws **`CVE-2022-22972`** and **`CVE-2022-22973`** were also highly likely to be targeted. Observed post-exploitation activity included deployment of **Mirai** and **Gafgyt** variants, **Enemybot**, webshells, Perl-based shellbots, coinminers, and payloads that modified SSH keys for persistence. Unit 42 reported that attackers could chain **`CVE-2022-22960`** after the initial compromise to escalate privileges to root by abusing writable paths and sudo-accessible scripts. The company said its Threat Prevention signature **`92483`** blocks exploitation attempts and noted that **about 800 internet-exposed Workspace ONE Access instances** were visible, underscoring the exposure risk for unpatched organizations.
May 25, 2026