UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day
Google-owned Mandiant reported that threat actor UNC6201 exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (RP4VM), giving attackers a path into enterprise recovery infrastructure. The activity was described as zero-day exploitation targeting software used for disaster recovery and replication, a high-value foothold because it can provide broad visibility into protected virtual environments and potentially enable follow-on access across connected systems.
Reporting on the incident said the flaw was actively abused before a fix was available, underscoring the risk to organizations running Dell RP4VM in production. The disclosures highlight how attackers are increasingly targeting backup, recovery, and virtualization management platforms because compromise of those systems can undermine resilience efforts, expand lateral movement opportunities, and complicate incident response during a broader intrusion.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google/Mandiant publicly discloses UNC6201 exploitation activity
Google Cloud's Mandiant published research attributing the exploitation of the Dell RecoverPoint for Virtual Machines zero-day to UNC6201 and describing the threat activity. This public disclosure brought technical and attribution details to light.
UNC6201 exploits zero-day in Dell RecoverPoint for Virtual Machines
Threat actor UNC6201 was observed exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines. The activity marks the initial known in-the-wild exploitation of the flaw.
Sources
2 references tracked. Mallory keeps watching after this page renders.
UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day | Google Cloud Blog
cloud.google.com
Open sourceHackers exploit zero-day flaw in Dell RecoverPoint for Virtual Machines | Cybersecurity Dive
cybersecuritydive.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UNC6201 Exploits Dell RecoverPoint for Virtual Machines Zero-Day via Hardcoded Credential
**Mandiant/Google Threat Intelligence Group (GTIG)** reported active exploitation of a **Dell RecoverPoint for Virtual Machines (RP4VM)** zero-day, **CVE-2026-22769** (rated **CVSS 10.0**), attributed to suspected PRC-nexus activity tracked as **UNC6201**. The flaw is described as a **hardcoded credential** condition that can enable **unauthenticated remote access**, **OS-level control**, and **root-level persistence**, with follow-on activity aimed at persistence and lateral movement into **VMware** environments. Reporting also indicates the vulnerability was flagged for heightened defender attention via **CISA’s Known Exploited Vulnerabilities (KEV)** signaling referenced through NVD enrichment. The incident underscores elevated risk when adversaries compromise **backup and recovery infrastructure**, which can undermine restore integrity and expand blast radius into virtualization management planes. Public reporting tied to the same activity highlights associated tooling/malware families including **BRICKSTORM** and **GRIMBOLT** (and related mentions of **SLAYSTYLE**) in post-compromise operations, while noting that the **initial access vector was not definitively confirmed** beyond observed exploitation activity involving RP4VM. A separate malware-news roundup amplified the same UNC6201/RP4VM zero-day reporting, but did not add primary technical detail beyond pointing back to the underlying research.
Mar 21, 2026
UNC6201 Zero-Day Exploitation of Dell RecoverPoint for Virtual Machines (CVE-2026-22769)
Mandiant and Google Threat Intelligence Group reported **active zero-day exploitation** of a maximum-severity Dell RecoverPoint for Virtual Machines vulnerability, **CVE-2026-22769** (CVSS 10.0), attributed to **UNC6201**, a suspected PRC-nexus threat cluster. The flaw is described as a **hardcoded-credential issue** affecting versions prior to `6.0.3.1 HF1`, enabling unauthenticated attackers with knowledge of the credential to gain unauthorized access to the underlying OS and establish **root-level persistence**; exploitation has been observed since at least mid-2024. Dell has released remediations and urged customers to upgrade/apply fixes per its security advisory. Post-compromise activity observed in incident response engagements included lateral movement, persistence, and malware deployment, including **SLAYSTYLE**, **BRICKSTORM**, and a newly identified backdoor, **GRIMBOLT**. GRIMBOLT (C# with native ahead-of-time compilation) was observed replacing older BRICKSTORM binaries around September 2025 and is intended to complicate static analysis and improve performance on constrained appliances. The actor also demonstrated techniques to pivot into VMware environments, including creating **“Ghost NICs”** on VMware ESXi for stealthy network movement and using `iptables` for **Single Packet Authorization (SPA)**; initial access was not definitively confirmed, though the actor is known to target edge appliances (e.g., VPN concentrators) for entry.
Mar 20, 2026
Dell UnityVSA Unauthenticated Remote Command Injection Vulnerability (CVE-2025-36604)
A critical unauthenticated remote command injection vulnerability, tracked as CVE-2025-36604, was discovered in Dell UnityVSA, a software-defined storage solution that runs as a virtual machine on hypervisors such as VMware ESXi. Security researchers at watchTowr Labs identified and disclosed this vulnerability to Dell in March 2025, noting that it affected version 5.5.0.0.5.259 and likely earlier versions. The flaw allows attackers to execute arbitrary commands on the underlying operating system without authentication, posing a significant risk to organizations using UnityVSA for storage management. The vulnerability is particularly severe because UnityVSA often manages sensitive or business-critical data, making it a high-value target for threat actors seeking data exfiltration or ransomware deployment. Dell responded by releasing security advisories and patches addressing not only CVE-2025-36604 but also a total of 14 pre-auth command injection vulnerabilities in the UnityVSA product line. The exposure of such vulnerabilities in storage appliances highlights the ongoing risks associated with software-defined infrastructure and the need for timely patch management. The ProjectDiscovery community contributed a Nuclei detection template for CVE-2025-36604, enabling security teams to scan their environments for vulnerable UnityVSA instances. During the template's development, maintainers noted the importance of refining detection matchers to reduce false positives, as initial scans produced results on honeypot targets. The template was iteratively improved to ensure reliable identification of affected systems. The vulnerability's pre-authentication nature means that attackers do not require valid credentials, increasing the urgency for organizations to apply patches and restrict network access to management interfaces. Security advisories and technical write-ups provided detailed guidance on identifying vulnerable versions and implementing mitigations. The incident underscores the importance of proactive vulnerability research and coordinated disclosure between security researchers and vendors. Organizations leveraging Dell UnityVSA are strongly advised to review their deployments, apply the latest security updates, and monitor for signs of exploitation. The rapid community response, including the creation and validation of detection templates, demonstrates the value of open-source security tooling in addressing emerging threats. The case also serves as a reminder for storage and infrastructure teams to prioritize the security of virtual appliances, which are increasingly targeted by sophisticated attackers. Dell's multi-vulnerability disclosure and the subsequent industry response highlight the evolving landscape of storage security and the need for continuous vigilance.
Mar 21, 2026