Hardcoded Credential in Dell RecoverPoint for Virtual Machines Tomcat Manager
CVE-2026-22769 is a critical hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines affecting versions prior to 6.0.3.1 HF1. The issue stems from hard-coded administrative credentials for the Apache Tomcat Manager component stored in the appliance configuration (reported in tomcat-users.xml under the RecoverPoint appliance filesystem). An unauthenticated remote attacker who knows the embedded credential can authenticate to the Tomcat Manager interface and abuse the /manager/text/deploy endpoint to upload a malicious WAR archive. Observed exploitation used this mechanism to deploy the SLAYSTYLE web shell, after which attackers were able to execute commands as root on the appliance and establish persistence. Public reporting also ties exploitation to deployment of BRICKSTORM and GRIMBOLT malware and modification of startup-related scripts for persistence.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
160 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in Dell RecoverPoint for VMs appliances that was exploited by UNC6201 to compromise appliances and deploy multiple post-exploitation payloads.
Dell RecoverPoint for Virtual Machines 제로데이로, UNC6201이 이를 악용해 VMware 백업·복구 인프라를 침해하고 백도어를 배포해 복구 체계를 무력화한 취약점.
A zero-day vulnerability in Dell RecoverPoint for Virtual Machines exploited by UNC6201 to compromise VMware backup and recovery infrastructure.
A zero-day vulnerability in Dell RecoverPoint for Virtual Machines used for initial exploitation enabling lateral movement, persistence, and follow-on malware deployment.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.