Chinese Actors Exploited Dell RecoverPoint for VMs Flaw Since 2024

Chinese threat actors have been exploiting a newly disclosed hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024, according to Google Mandiant researchers.

The flaw (CVE-2026-22769) was disclosed by Dell on Feb. 17 after Google Mandiant researcher Peter Ukhanov reported it. In a Tuesday advisory, Dell told customers to apply remediations to address the vulnerability immediately. 

Google Mandiant researchers linked the exploitation activity to suspected PRC-nexus cluster, UNC6201, and said the group targeted the flaw as a way to move laterally, maintain persistent access, and deploy malware. 

“The initial access vector for these incidents was not confirmed, but UNC6201 is known to target edge appliances (such as VPN concentrators) for initial access,” according to Google Mandiant researchers in the analysis. “There are notable overlaps between UNC6201 and UNC5221, which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider the two clusters to be the same.”

The Flaw

CVE-2026-22769 has a CVSS score of 10 out of 10 and exists in RecoverPoint for Virtual Machines, a hypervisor solution for VMware environments enabling operational recovery. Specifically, versions prior to 6.0.3.1 HF1 of the product contain a hardcoded credential vulnerability.

“This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence,” according to Dell. 

Dell provided various remediations for different impacted versions. For version 5.3 SP4 P1, customers should first migrate to 6.0 SP3 and then upgrade to 6.0.3.1 HF1. Another option for this version is to apply a remediation script available here. For versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1, customers should directly upgrade to 6.0.3.1 HF1 or apply the remediation script.

Dell said other products like RecoverPoint Classic (both physical and virtual appliances) are not impacted by the flaw.

The Exploitation 

As part of the exploitation activity, Google Mandiant researchers observed threat actors deploying a new backdoor that they call Grimbolt, along with other known malware families (Slaystyle and Brickstorm). 

Brickstorm was previously seen by Mandiant researchers in a March 2025 campaign. They saw the malware being used by threat actors to provide persistent access to several U.S. organizations, including SaaS providers and tech companies. At the time, researchers noted that this campaign was significant because threat actors weren’t just launching typical espionage attacks; they appeared to be establishing “pivot points” for access to downstream victims. 

Then, researchers started seeing threat actors replace older Brickstorm binaries with Grimbolt in September 2025.

“GRIMBOLT represents a shift in tradecraft; this newly identified malware, written in C# and compiled using native ahead-of-time (AOT) compilation, is designed to complicate static analysis and enhance performance on resource-constrained appliances,” according to researchers in the Tuesday analysis.

In investigations, researchers said they saw continued compromise of VMware virtual infrastructure by the threat actor, which has been previously publicly disclosed. However, researchers also saw several new TTPs. 

“Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual infrastructure, including the creation of ‘Ghost NICs’ for stealthy network pivoting and the use of iptables for Single Packet Authorization (SPA),” according to researchers.