Dell RecoverPoint for VMs zero-day CVE-2026-22769

Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024: A Technical Analysis

Estimated Reading Time: 9 minutes

Table of Contents

• Technical Analysis of Dell RecoverPoint for VMs CVE-2026-22769
• Lateral Movement and Anti-Forensic Techniques
• Impacted Versions and Remediation Steps
• Rapid Weaponization of SmarterMail Vulnerabilities
• Supply Chain Risks and Managed Software Updates
• Data Breaches and PII Exposure
• Automated Intelligence and DLP Failures
• Infrastructure Targeting in the Energy Sector
• Technical Takeaways for Security Teams
• Professional Cybersecurity Support
• Frequently Asked Questions (FAQ)

A critical security vulnerability, identified as CVE-2026-22769, has been utilized by a suspected China-nexus threat actor, designated as UNC6201, to gain unauthorized access to Dell RecoverPoint for Virtual Machines (VMs) environments. This exploitation has been active since at least mid-2024, representing a significant period of undetected presence within target networks. The vulnerability is characterized by the use of hard-coded credentials, allowing unauthenticated remote attackers to gain root-level persistence on the underlying operating system.

The impact of Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 exploited since mid-2024 is substantial, given the critical role of these appliances in data recovery and business continuity. With a CVSS score of 10.0, the vulnerability provides a direct pathway for lateral movement and long-term espionage.

Technical Analysis of Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024

The core of CVE-2026-22769 lies in an “admin” user account with a hard-coded credential within the Apache Tomcat Manager instance. This account allows attackers to authenticate to the Dell RecoverPoint Tomcat Manager and utilize the /manager/text/deploy endpoint. Once authenticated, threat actors have been observed uploading a web shell known as SLAYSTYLE.

This web shell facilitates command execution with root privileges. Research from Google Mandiant and the Google Threat Intelligence Group (GTIG) indicates that once root access is achieved, the threat actor deploys the BRICKSTORM backdoor. In more recent stages of the campaign, specifically identified around September 2025, the actor transitioned to a more advanced backdoor called GRIMBOLT.

GRIMBOLT is a C# backdoor utilizing native ahead-of-time (AOT) compilation. This specific compilation method increases the difficulty of reverse engineering and allows the malware to blend in with native system files. This transition suggests a shift toward more complex anti-forensic techniques to maintain persistence in remediated environments.

Lateral Movement and Anti-Forensic Techniques

A distinguishing feature of the UNC6201 campaign is the use of “Ghost NICs.” These are temporary virtual network interfaces created on compromised virtual machines. Attackers use these interfaces to pivot from the initial point of entry into internal networks or SaaS environments. Once the objective is met, the NICs are deleted, effectively removing the network-level traces that traditional forensics would rely on to map lateral movement.

Furthermore, attackers modified system configurations to hide their traffic. Analysis of compromised VMware vCenter appliances revealed the execution of specific iptables commands via web shells. These commands performed the following functions:

1. Monitored incoming traffic on port 443 for a specific HEX string.
2. If the string was detected, the source IP address was added to an allow-list.
3. Subsequent traffic from that IP to port 10443 was accepted.
4. Traffic intended for port 443 was silently redirected to port 10443 for a 300-second window.

This mechanism ensures that the attacker’s communication remains hidden from standard traffic monitoring while allowing them a dedicated, time-limited channel for command and control (C2). Organizations lacking a cyber threat intelligence platform capable of identifying these specific behavioral signatures may fail to detect such persistence.

Impacted Versions and Remediation

The vulnerability affects several versions of Dell RecoverPoint for VMs. Dell released a bulletin detailing the following remediation steps:

• Version 5.3 SP4 P1: Migrate to version 6.0 SP3, then upgrade to 6.0.3.1 HF1.
• Versions 6.0 through 6.0 SP3 P1: Upgrade directly to 6.0.3.1 HF1.
• Versions 5.3 SP4 and earlier: Upgrade to version 5.3 SP4 P1 or any 6.x version, then apply the specific remediation patch.

Dell specifies that RecoverPoint for VMs should be restricted to trusted, access-controlled internal networks. The appliance is not designed for exposure to public networks.

Rapid Weaponization of SmarterMail Vulnerabilities

While the Dell zero-day demonstrates long-term espionage, recent activity involving SmarterMail illustrates how quickly the threat landscape shifts from disclosure to exploitation. Researchers have observed the rapid weaponization of CVE-2026-24423 (RCE) and CVE-2026-23760 (Authentication Bypass).

Data from telegram threat monitoring reveals that proof-of-concept (PoC) exploits and offensive security tools were shared within days of the initial disclosure in January 2026. This rapid dissemination allowed attackers to move from scanning to mass exploitation in a very short window. Shodan data currently identifies approximately 1,185 servers globally that remain vulnerable to these specific flaws.

The exploitation of SmarterMail often serves as a precursor to ransomware deployment. Groups such as Warlock have been linked to these campaigns. For teams using a live ransomware API, these vulnerabilities are high-priority indicators of imminent encryption events. Threat actors view email servers as identity infrastructure, providing access to domain authentication tokens and internal communication channels.

Supply Chain Risks and Managed Software Updates

Supply chain security remains a primary vector for China-nexus groups. The Lotus Panda cluster was recently linked to the hijacking of the Notepad++ update mechanism. By breaching the hosting provider, attackers redirected update requests to malicious servers, delivering the Chrysalis backdoor. This incident, tracked as CVE-2025-15556, emphasizes the need for supply-chain risk monitoring.

In response, Notepad++ released version 8.9.2, which implements a “double lock” verification system. This design requires signed installer verification and signed XML verification from the update server. These technical controls prevent the unauthorized delivery of poisoned updates even if the distribution infrastructure is compromised.

The use of underground forum intelligence is critical in these scenarios. Monitoring for discussions regarding hosting provider breaches can provide the early warning necessary for breach detection.

Data Breaches and PII Exposure

In addition to infrastructure targeting, large-scale data breaches continue to impact administrative service providers. Conduent Business Services reported a compromise that occurred between October 2024 and January 2025. This breach exposed sensitive personal and medical information, including Social Security numbers and health insurance data.

For organizations managing large datasets, brand leak alerting and a dark web monitoring service are essential for identifying when stolen PII (Personally Identifiable Information) or PHI (Protected Health Information) begins circulating in criminal marketplaces.

Automated Intelligence and DLP Failures

Modern productivity tools introduce new risks when they bypass established security policies. A bug in Microsoft 365 Copilot (CW1226324) allowed the AI assistant to summarize confidential emails, bypassing data loss prevention (DLP) policies. This issue affected the “work tab” chat feature, which processed messages in Sent Items and Drafts despite confidentiality labels.

Security teams must treat AI agents as privileged users and monitor their data access patterns. When automated tools are granted broad access, they can inadvertently expose sensitive information if the underlying code does not strictly adhere to DLP frameworks.

Infrastructure Targeting in the Energy Sector

The hacking cluster Volt Typhoon (also known as Voltzite) has expanded its operations to target Sierra Wireless Airlink gateways. These devices are frequently used in the electric and oil and gas sectors. In July 2025, the group was observed pivoting from compromised gateways to engineering workstations to exfiltrate configuration data.

Effective defense in these environments requires real-time ransomware intelligence and specialized monitoring for unauthorized pathways created by cellular gateways. By manipulating engineering workstations, attackers remove the barriers between network access and physical system control.

Technical Takeaways for Security Teams

For Technical Personnel

• Immediate Patching: Prioritize the update of Dell RecoverPoint for VMs to version 6.0.3.1 HF1. For SmarterMail, ensure all instances are on Build 9511 or later.
• Network Segmentation: Isolate backup appliances and email infrastructure. Use strict firewall rules to prevent these systems from initiating outbound connections to untrusted IPs.
• Forensic Auditing: Search for “Ghost NIC” artifacts and unauthorized iptables modifications. Monitor for unusual traffic on port 10443.
• Binary Analysis: Use YARA rules to scan for BRICKSTORM, GRIMBOLT, and Chrysalis signatures.
• Log Monitoring: Review Apache Tomcat Manager logs for unauthorized access to the /manager/text/deploy endpoint.

For Business Leaders and Managers

• Asset Inventory: Conduct a comprehensive audit of all edge devices, including cellular gateways and recovery appliances.
• Policy Review: Re-evaluate DLP policies in the context of AI assistants like Copilot.
• Intelligence Integration: Incorporate external intelligence sources, such as telegram threat monitoring and underground forum intelligence, into the standard risk assessment process.
• Vendor Risk Management: Assess the security posture of hosting providers and third-party software maintainers.

Professional Cybersecurity Support

The complexity of these multi-stage attacks requires specialized expertise in threat hunting and incident response. PurpleOps provides the technical depth necessary to navigate these challenges.

By leveraging our Cyber Threat Intelligence services, organizations gain access to specialized data that identifies exploitation trends before they result in a breach. We also offer Dark Web Monitoring to track the exposure of sensitive data following large-scale breaches.

For organizations concerned about the security of their recovery infrastructure, our Protect Against Ransomware and Penetration Testing services provide a thorough evaluation of existing defenses. We also offer Supply Chain Information Security assessments.

To learn more about how our Platform can secure your environment, or to inquire about our Red Team Operations and general Services, contact PurpleOps today.

Frequently Asked Questions (FAQ)