China-linked UNC6201 exploits 10.0 bug in Dell RecoverPoint for VMs since mid-2024

Dell released patches on Feb. 17 for a maximum-severity CVSS 10.0 bug in in Dell RecoverPoint for Virtual Machines that the Google Threat Intelligence Group (GTIG) said China-linked UNC 6201 has exploited since mid-2024.

GTIG said the bug, tracked as CVE-2026-22769, was used to deploy a newer version of the Brickstorm backdoor malware that GTIG now calls Grimbolt and uses “ghost NICs” on virtual machines to avoid defenders.

Security experts are concerned because when an attacker compromises the systems responsible for restoration, they can weaken an organization’s ability to recover from disruption, including a ransomware attack.

Charles Carmakal, board advisor and CTO at GTIG, said from a technical perspective, UNC6201 exploited a hardcoded administrator password in Apache Tomcat that was used by the Dell backup gear.

For its part, Dell issued the CVE yesterday and released patches, which Carmakal said security teams should apply immediately.

“Nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which make it very hard for victim organizations to know they are compromised and significantly prolong intrusion dwell times,” said Carmakal in a LinkedIn post. “The threat actor created virtual NICs on virtual machines to perform malicious activities, and then deleted those NICs. This made it very difficult for investigators as we saw suspicious/malicious network activity from IP addresses that no longer existed and were not well documented.”

Shane Barney, CISO at Keeper Security, explained that Dell RecoverPoint for Virtual Machines replicates virtual machines and enables disaster recovery, which lets businesses quickly restore systems if they are disrupted by failure or attack. Because it integrates directly with hypervisors, storage infrastructure and backup systems, Barney said it typically operates with elevated privileges.

“That makes it a high-value target,” said Barney. “Targeting backup and disaster recovery platforms reflects a deliberate and knowledgeable approach. In the context of espionage, access to this layer can also provide deep visibility into infrastructure architecture and replicated data sets.”

Barney added that the vulnerability in question is of particular concern because it involves a hardcoded credential. An unauthenticated remote attacker who leverages the hardcoded credential can gain root-level access and establish persistent control, making it ideal for long-term access. Barney said organizations should immediately update to the patched version issued by Dell and ensure RecoverPoint is deployed only within trusted, segmented internal networks.

John Carberry, solution sleuth at Xcape, Inc., said that Dell RecoverPoint operates as a "time machine" for VMware environments, delivering continuous data protection and disaster recovery orchestration. By exploiting the critical 10.0 zero-day CVE-2026-22769, Carberry said attackers don't just steal data; they gain the ability to corrupt or disable an organization's entire recovery lifeline.

“The group's use of hardcoded credentials to deploy stealthy backdoors like Grimbolt and Brickstorm and even create 'Ghost NICs' for undetected deeper pivots into virtual infrastructure, amplifies the danger,” said Carberry. “This ‘low-and-slow’ approach ensures that even if a primary breach is detected, what an organization believes is a ‘known good’ backup may already be compromised. Security teams must treat backup infrastructure as Tier 0 assets and apply patches immediately.”

Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that backup and recovery tools are attractive targets because they store important data from multiple systems in one place: a gold mine for data theft and disruption operations.

“Attackers who gain access to these systems can delete company backups, encrypt them, or steal data,” said Ursry. “Attackers can remain undetected for longer periods, collect information as it becomes available, and deliver catastrophic attacks that prevent the organization from being able to recover in a timely manner. If anything, this attack highlights how attractive this software is for threat actors and how critical it is for organizations to protect it.”

Craig Birch, technology evangelist and principal security engineer at Cayosoft, added that Dell RecoverPoint continuously replicates VMware workloads and enables rapid rollback after outages or attacks.

“The CVE-2026-22769 vulnerability exploited in this case involved hardcoded credentials within the product, highlighting how embedded secrets in infrastructure software can create significant risk when they exist in systems designed to protect an organization’s most critical recovery capabilities,” said Birch.

Birch said teams should treat this as a Tier‑0 incident by immediately applying Dell’s remediation, tightly restricting access to recovery appliances, and validating backup integrity, since compromise at this layer can directly impact the ability to recover from ransomware or destructive events.