Cybersecurity Advisory Dell RecoverPoint for Virtual Machines — CVE-2026-22769 Published: February 20, 2026 | Severity: Critical | TLP: CLEAR
Executive Summary
Dell RecoverPoint for Virtual Machines is affected by a critical hardcoded credential vulnerability, tracked as CVE-2026-22769, with a CVSSv3.1 base score of 10.0. The vulnerability enables an unauthenticated remote attacker with knowledge of the embedded credential to authenticate to the appliance and obtain root-level operating system access with persistent backdoor capability.
Dell has released patches and remediation guidance. Organizations should treat remediation as an emergency priority. CISA added CVE-2026-22769 to the Known Exploited Vulnerabilities (KEV) catalog on February 18, 2026, with a remediation due date of March 11, 2026 for Federal Civilian Executive Branch agencies. All organizations — regardless of federal mandate — are strongly encouraged to apply remediations immediately.
Threat intelligence reporting confirms active zero-day exploitation of this vulnerability by UNC6201, a suspected China-nexus threat cluster, with activity dating to at least mid-2024 — approximately 18 months prior to public disclosure and patch availability.
Overview
CVE-2026-22769 stems from hard-coded administrator credentials embedded within the Apache Tomcat Manager component of Dell RecoverPoint for Virtual Machines. These credentials are stored in plaintext within the appliance configuration file /home/kos/tomcat9/tomcat-users.xml. An unauthenticated remote attacker possessing this credential can authenticate to the Tomcat Manager interface, deploy a malicious WAR file, and execute arbitrary commands as root on the underlying Linux operating system.
The vulnerability is classified under CWE-798 (Use of Hard-Coded Credentials) and has been assigned a CVSSv3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, reflecting network-accessible exploitation requiring no privileges or user interaction with a scope impact across the virtualization stack.
Google Mandiant analysis attributes exploitation of this vulnerability to UNC6201, a suspected China-nexus threat cluster with noted overlaps to UNC5221 — publicly associated with the actor tracked as Silk Typhoon — though Google Threat Intelligence Group does not currently assess these as the same cluster.
Affected Products and Versions
Per Dell Security Advisory DSA-2026-079, the following versions are confirmed affected:
- RecoverPoint for Virtual Machines 5.3 SP2, 5.3 SP3, 5.3 SP4, and 5.3 SP4 P1
- RecoverPoint for Virtual Machines 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1
All versions prior to 6.0.3.1 HF1 require remediation or upgrade. RecoverPoint Classic (both physical and virtual appliances) is confirmed not affected.
Impact
Successful exploitation may allow an attacker to:
- Obtain unauthenticated root-level access to the underlying Linux operating system of the recovery appliance.
- Deploy advanced persistent malware, including GRIMBOLT — a C#-based backdoor compiled using native Ahead-of-Time (AOT) techniques specifically designed to complicate static analysis — and the previously documented BRICKSTORM backdoor.
- Establish persistence via modification of the legitimate shell script
convert_hosts.sh, which is executed at boot time throughrc.local. - Conduct lateral movement into VMware ESXi virtual infrastructure through transient virtual network adapters (“Ghost NICs”) created on existing virtual machines.
- Establish covert command-and-control channels using iptables-based Single Packet Authorization, effectively hiding the C2 listener from passive network monitoring.
Given the appliance’s role in virtual machine recovery and replication, compromise of RecoverPoint for Virtual Machines may also affect the integrity and confidentiality of backup data and replication workflows across the broader virtualized environment.
Threat Actor Context
UNC6201 is assessed as a China-nexus threat cluster that has targeted edge appliances — including VPN concentrators and virtualization management infrastructure — for initial access, persistence, and lateral movement consistent with long-term espionage objectives. The actor deployed three distinct malware families in observed intrusions: BRICKSTORM (previously documented), SLAYSTYLE (a JSP web shell deployed via malicious WAR file), and GRIMBOLT (a novel C# backdoor first identified in September 2025 replacing older BRICKSTORM deployments).
The transition from BRICKSTORM to GRIMBOLT in September 2025 may represent a deliberate tradecraft evolution in response to public reporting and incident response activity, or a planned capability lifecycle rotation.
Detection Guidance
Security teams should prioritize the following investigative and detection actions:
Log and Artifact Review (Dell RecoverPoint Appliance)
- Review
/home/kos/auditlog/fapi_cl_audit_log.logfor any requests to/manager, particularlyPUT /manager/text/deployrequests, which are indicative of malicious WAR file deployment. - Inspect
/var/lib/tomcat9and/var/cache/tomcat9/Catalinafor unauthorized WAR files or compiled artifacts. - Review Tomcat application logs in
/var/log/tomcat9/fordeployWARevents and associated exceptions. - Inspect
/home/kos/kbox/src/installation/distribution/convert_hosts.shfor unauthorized modifications referencing binary file paths. - Review
rc.localfor unauthorized boot-time execution entries.
Network and Behavioral Indicators
- Hunt for outbound WebSocket Secure (WSS) connections to
149.248.11[.]71, particularly to the endpointwss://149.248.11[.]71/rest/apisession. - Monitor ESXi host configurations for unauthorized or transient virtual network interface additions.
- Detect iptables rule modifications consistent with Single Packet Authorization patterns, specifically rules monitoring port 443 for specific hex strings and redirecting authenticated traffic to port 10443.
- Monitor for anomalous Tomcat Manager authentication events or administrative access from unexpected source addresses.
Published File Hash Indicators (SHA-256)
| Malware Family | Filename | SHA-256 |
|---|---|---|
| GRIMBOLT | support | 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c |
| GRIMBOLT | out_elf_2 | dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591 |
| SLAYSTYLE | default_jsp.java | 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a |
| BRICKSTORM | splisten | 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df |
| BRICKSTORM | N/A | aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 |
| BRICKSTORM | N/A | 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759 |
| BRICKSTORM | N/A | 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 |
| BRICKSTORM | N/A | 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830 |
Mitigation and Patching Guidance
Dell provides the following remediation paths per DSA-2026-079:
For version 5.3 SP4 P1: Migrate to RecoverPoint for Virtual Machines 6.0 SP3 per Dell upgrade instructions, then upgrade to 6.0.3.1 HF1. Alternatively, apply the vendor-provided remediation script per Dell KB article 000426742.
Note: Versions 5.3 SP4, 5.3 SP3, and 5.3 SP2 should first upgrade to 5.3 SP4 P1 before following the above path.
For versions 6.0 through 6.0 SP3 P1: Upgrade directly to 6.0.3.1 HF1, or apply the vendor-provided remediation script per Dell KB article 000426742.
Where immediate patching is not operationally feasible, organizations should implement the following interim controls:
- Restrict network access to RecoverPoint appliances to trusted, access-controlled internal network segments only. Dell explicitly states that RecoverPoint for Virtual Machines is not intended for deployment on untrusted or public-facing networks.
- Block outbound connectivity to
149.248.11[.]71at the perimeter. - Monitor ESXi environments for unauthorized virtual network interface changes.
- Deploy network detection logic targeting Tomcat Manager authentication anomalies and Single Packet Authorization traffic patterns.
Léargas Response
Léargas Security has incorporated the published indicators of compromise and behavioral telemetry associated with this activity into active monitoring and detection workflows. Updated detection logic is in place to identify exploitation attempts consistent with the reported TTPs on an ongoing basis.
Timeline
| Date | Event |
|---|---|
| Mid-2024 | UNC6201 begins zero-day exploitation of CVE-2026-22769 per Google Mandiant analysis |
| September 2025 | GRIMBOLT replaces BRICKSTORM on compromised appliances |
| February 17, 2026 | Dell publishes Security Advisory DSA-2026-079; NVD publishes CVE-2026-22769 |
| February 17, 2026 | Google Mandiant publishes public threat intelligence reporting |
| February 18, 2026 | CISA adds CVE-2026-22769 to the Known Exploited Vulnerabilities (KEV) catalog; remediation due date March 11, 2026 |
References
Dell Security Advisory DSA-2026-079 https://www.dell.com/support/kbdoc/en-us/000426773
Dell Remediation Script KB Article https://www.dell.com/support/kbdoc/en-us/000426742
Google Cloud Threat Intelligence Blog — UNC6201 https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
CISA Known Exploited Vulnerabilities Catalog — CVE-2026-22769 https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
Cyber Security Agency of Singapore Advisory AL-2026-016 https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-016
NVD Entry — CVE-2026-22769 https://nvd.nist.gov/vuln/detail/CVE-2026-22769
