UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
Mandiant/Google Threat Intelligence Group (GTIG) reported active exploitation of a Dell RecoverPoint for Virtual Machines (RP4VM) zero-day, CVE-2026-22769 (rated CVSS 10.0), attributed to suspected PRC-nexus activity tracked as UNC6201. The flaw is described as a hardcoded credential condition that can enable unauthenticated remote access, OS-level control, and root-level persistence, with follow-on activity aimed at persistence and lateral movement into VMware environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via CISA’s Known Exploited Vulnerabilities (KEV) signaling referenced through NVD enrichment.
The incident underscores elevated risk when adversaries compromise backup and recovery infrastructure, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including BRICKSTORM and GRIMBOLT (and related mentions of SLAYSTYLE) in post-compromise operations, while noting that the initial access vector was not definitively confirmed beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported **active zero-day exploitation** of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, **CVE-2026-22769** (CVSS 10.0), attributed to **UNC6201**, a suspected PRC-nexus threat cluster. The flaw is described as a **hardcoded-credential issue** affecting versions prior to `6.0.3.1 HF1`, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish **root-level persistence**; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory. Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including **SLAYSTYLE**, **BRICKSTORM**, and a newly identified backdoor, **GRIMBOLT**. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating **“Ghost NICs”** on VMware ESXi for stealthy network movement and using `iptables` for **Single Packet Authorization (SPA)**; initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
3 weeks ago
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
3 weeks ago
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
1 months ago