Dell RecoverPoint Zero-Day: China-Nexus Group UNC6201 Exploits Critical Vulnerability Since Mid-2024

Urgent Alert: Dell RecoverPoint for VMs Under Active Zero-Day Attack

A severe security vulnerability in Dell RecoverPoint for Virtual Machines (VMs) has been actively exploited as a zero-day since mid-2024 by a sophisticated threat cluster believed to be linked to China. Dubbed UNC6201, this group’s activities, detailed in a joint report by Google Mandiant and Google Threat Intelligence Group (GTIG), highlight a critical threat with maximum severity.

The vulnerability, identified as CVE-2026-22769, carries a CVSS score of 10.0 – the highest possible rating. It stems from hard-coded credentials within the system, allowing unauthenticated remote attackers to gain unauthorized access to the underlying operating system and establish root-level persistence. Dell has issued a bulletin confirming the criticality and urging immediate action.

The Vulnerability Explained: Hard-Coded Credentials and Affected Systems

At the heart of CVE-2026-22769 lies a fundamental security flaw: hard-coded administrative credentials for the Apache Tomcat Manager instance. This oversight provides a direct pathway for attackers who discover these credentials to bypass authentication mechanisms entirely.

Impacted Dell RecoverPoint for VMs Versions:

• Versions prior to 6.0.3.1 HF1 are vulnerable.
• Specifically, this includes:
• Version 5.3 SP4 P1: Requires migration from 5.3 SP4 P1 to 6.0 SP3, then upgrade to 6.0.3.1 HF1.
• Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1: Direct upgrade to 6.0.3.1 HF1.
• Versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier: Upgrade to version 5.3 SP4 P1 or a 6.x version, followed by necessary remediation.
• It’s crucial to note that RecoverPoint Classic and other Dell products are not affected by this specific flaw.

Dell’s advisory emphasizes that RecoverPoint for Virtual Machines should be deployed exclusively within trusted, access-controlled internal networks, fortified by robust firewalls and network segmentation. The product is explicitly not designed for deployment on untrusted or public networks.

UNC6201’s Sophisticated Attack Chain and Evasion Tactics

Google’s analysis reveals the intricate methods employed by UNC6201 to exploit this vulnerability and maintain a persistent, stealthy presence within compromised environments.

Initial Exploitation and Web Shell Deployment:

Attackers leverage the hard-coded ‘admin’ credentials to authenticate to the Dell RecoverPoint Tomcat Manager. From there, they upload a web shell named SLAYSTYLE via the /manager/text/deploy endpoint. This web shell grants them the ability to execute commands as root on the compromised appliance.

The Evolution of Backdoors: BRICKSTORM to GRIMBOLT:

Upon gaining root access, UNC6201 deploys the BRICKSTORM backdoor. Intriguingly, in September 2025, the threat actor began replacing older BRICKSTORM binaries with a newer, more advanced version dubbed GRIMBOLT. Mandiant’s Charles Carmakal notes that GRIMBOLT is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it significantly harder to reverse engineer. Google further highlights GRIMBOLT’s enhanced evasion capabilities, allowing it to better blend with system files and minimize forensic traces on infected hosts.

“Ghost NICs” and Covert Network Pivoting:

A particularly noteworthy tactic employed by UNC6201 involves the use of temporary virtual network interfaces, or “Ghost NICs.” These interfaces enable the threat actors to pivot from compromised virtual machines into deeper internal or SaaS environments. Once their objective is achieved, these NICs are deleted, effectively covering their tracks and complicating forensic investigations.

Targeting EDR Blind Spots and Persistence:

Consistent with previous campaigns, UNC6201 strategically targets appliances that typically lack traditional Endpoint Detection and Response (EDR) agents. This allows them to remain undetected for extended periods, significantly prolonging intrusion dwell times. While the exact initial access vector remains unclear, the group, like its counterpart UNC5221, is known to target edge appliances as a gateway into target networks.

Further analysis of compromised VMware vCenter appliances has uncovered specific iptable commands executed via the web shell. These commands demonstrate a sophisticated approach to maintaining access and controlling traffic:

• Monitoring incoming traffic on port 443 for a specific HEX string.
• Adding the source IP address of matching traffic to an approved list.
• If an approved IP connects to port 10443, the connection is accepted.
• Silently redirecting subsequent traffic from port 443 to port 10443 for 300 seconds (five minutes) for approved IPs.

The Threat Actor: UNC6201 and its China-Nexus Connections

UNC6201 is assessed to be a China-nexus espionage cluster, sharing tactical overlaps with other prominent groups. It shows similarities with UNC5221, another China-nexus cluster notorious for exploiting virtualization technologies and Ivanti zero-day vulnerabilities to deploy web shells and malware families such as BEEFLUSH, BRICKSTORM, and ZIPLINE. While tactically similar, the two clusters are currently considered distinct.

The BRICKSTORM backdoor itself has also been linked by CrowdStrike to a third China-aligned adversary, Warp Panda, in attacks targeting U.S. entities. This interconnectedness underscores the breadth and coordination within the China-nexus threat landscape.

As Mandiant’s Charles Carmakal highlights, “Nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times.”

Urgent Remediation and Broader Cybersecurity Implications

The exploitation of this Dell RecoverPoint zero-day serves as a stark reminder of the persistent and evolving threats posed by state-sponsored actors. Organizations utilizing Dell RecoverPoint for Virtual Machines must prioritize immediate patching and adhere strictly to Dell’s security recommendations.

This disclosure comes amidst broader warnings, such as those from Dragos, concerning Chinese groups like Volt Typhoon (aka Voltzite) actively compromising Sierra Wireless Airlink gateways in electric and operational technology (OT) environments. The pattern of targeting critical infrastructure and systems with limited EDR visibility remains a significant concern for global cybersecurity.

Proactive security measures, including rigorous network segmentation, continuous monitoring, and prompt application of security updates, are paramount to defending against such sophisticated and determined adversaries.

For more details, visit our website.

Source: Link