Chinese Hackers Exploited Dell RecoverPoint Zero-Day for 18 Months
A maximum-severity hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines was silently exploited by a suspected Chinese threat actor since mid-2024, with attackers deploying novel backdoors and ghost network interfaces to evade detection inside VMware environments.
Dell has disclosed a critical zero-day vulnerability in RecoverPoint for Virtual Machines, tracked as CVE-2026-22769 with a CVSS score of 10.0, that a suspected China-linked threat cluster designated UNC6201 exploited for approximately 18 months before public disclosure. Mandiant, which investigated the campaign, reported that the attacks began in mid-2024 and targeted organizations in the legal and technology sectors.
Hardcoded Credentials Enabled Root Access
The vulnerability stems from hardcoded default credentials for the admin user stored in the file /home/kos/tomcat9/tomcat-users.xml on affected RecoverPoint appliances running versions prior to 6.0.3.1 HF1. An unauthenticated remote attacker with knowledge of the hardcoded credential could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file via the /manager/text/deploy endpoint, and execute arbitrary commands as root on the appliance.
Because RecoverPoint is used for VMware virtual machine backup and recovery, compromising the appliance gave attackers a privileged foothold in the virtualization layer of victim networks.
Novel Backdoors and Ghost NICs
Once inside, UNC6201 deployed two malware families: BRICKSTORM, a backdoor first documented in April 2024, and a newly identified implant named GRIMBOLT. Both backdoors were designed for long-term persistence on VMware ESXi infrastructure.
Mandiant noted a previously unseen lateral movement technique: the attackers created hidden virtual network interfaces — termed Ghost NICs — on ESXi hosts. These temporary virtual network ports allowed the threat actor to pivot from compromised virtual machines into internal or SaaS environments while remaining invisible to standard network monitoring tools.
Remediation
Dell has released a patch in RecoverPoint for VMs 6.0.3.1 HF1. Organizations running any earlier version should apply the hotfix immediately. Defenders should also audit Tomcat configuration files on RecoverPoint appliances for signs of tampering, review ESXi host network adapter inventories for unrecognized virtual NICs, and search for indicators of compromise associated with BRICKSTORM and GRIMBOLT.
CISA has added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog alongside the Dell disclosure.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.