A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024, according to a new report from Google Mandiant and Google Threat Intelligence Group (GTIG).
The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Other products, including RecoverPoint Classic, are not vulnerable to the flaw.
“This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence,” Dell said in a bulletin released Tuesday.
The issue impacts the following products –
- RecoverPoint for Virtual Machines Version 5.3 SP4 P1 – Migrate from RecoverPoint for Virtual Machines 5.3 SP4 P1 to 6.0 SP3, and then upgrade to 6.0.3.1 HF1
- RecoverPoint for Virtual Machines Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 – Upgrade to 6.0.3.1 HF1
- RecoverPoint for Virtual Machines Versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier – Upgrade to version 5.3 SP4 P1 or a 6.x version, and then apply the necessary remediation
“Dell recommends that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation,” it noted. “RecoverPoint for Virtual Machines is not intended for use on untrusted or public networks.”
Per Google, the hard-coded credential relates to an “admin” user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the “/manager/text/deploy” endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT.
“This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer,” Mandiant’s Charles Carmakal added.
Google told The Hacker News that the activity has targeted organizations across North America, with GRIMBOLT incorporating features to better evade detection and minimize forensic traces on infected hosts. “GRIMBOLT is even better at blending in with the system’s own native files,” it added.
UNC6201 is also assessed to share overlaps with UNC5221, another China-nexus espionage cluster known for its exploitation of virtualization technologies and Ivanti zero-day vulnerabilities to distribute web shells and malware families like BEEFLUSH, BRICKSTORM, and ZIPLINE.
Despite the tactical similarities, the two clusters are assessed to be distinct at this stage. It’s worth noting that the use of BRICKSTORM has also been linked by CrowdStrike to a third China-aligned adversary tracked as Warp Panda in attacks aimed at U.S. entities.
A noteworthy aspect of the latest set of attacks revolves around UNC6201’s reliance on temporary virtual network interfaces – referred to as “Ghost NICs” – to pivot from compromised virtual machines into internal or SaaS environments, and then delete those NICs to cover up the tracks in an effort to impede investigation efforts.
“Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods,” Google said.
Exactly how initial access is obtained remains unclear, but like UNC5221, it’s also known to target edge appliances to break into target networks. An analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell to perform the following set of actions –
- Monitor incoming traffic on port 443 for a specific HEX string
- Add the source IP address of that traffic to a list and if the IP address is on the list and connects to port 10443, the connection is ACCEPTED
- Silently redirect subsequent traffic to port 443 to port 10443 for the next 300 seconds (five minutes) if the IP is on the approved list
Furthermore, the threat actor has been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025. While GRIMBOLT also provides a remote shell capability and uses the same command-and-control (C2) as BRICKSTORM, it’s not known what prompted the shift to the harder-to-detect malware, and whether it was a planned transition or a response to public disclosures about BRICKSTORM.
“Nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times,” Carmakal said.
The disclosure comes as Dragos warned of attacks mounted by Chinese groups like Volt Typhoon (aka Voltzite) to compromise Sierra Wireless Airlink gateways located in electric and oil and gas sectors, followed by pivoting to engineering workstations to dump config and alarm data.
The activity, according to the cybersecurity company, took place in July 2025. The hacking crew is said to acquire initial access from Sylvanite, which rapidly weaponizes edge device vulnerabilities before patches are applied and hands off access for deeper operational technology (OT) intrusions.
“Voltzite moved beyond data exfiltration to direct manipulation of engineering workstations investigating what would trigger processes to stop,” Dragos said. ” This represents the removal of the last practical barrier between having access and causing physical consequences. Cellular gateways create unauthorized pathways into OT networks bypassing traditional security controls.”
