Dell RecoverPoint Zero-Day: Chinese Hackers Had 18 Months Head Start

If you needed a reminder that your fancy virtualization appliances are just as hackable as everything else, here it is. Dell's RecoverPoint for Virtual Machines has been harboring a maximum-severity zero-day vulnerability that Chinese state-sponsored hackers have been quietly exploiting since mid-2024. That's roughly 18 months of unrestricted access before anyone noticed.

The vulnerability in question is CVE-2026-22769, and it carries a perfect CVSS score of 10.0. The flaw itself is almost embarrassingly simple: hard-coded credentials for an admin user in the Apache Tomcat Manager instance. An unauthenticated remote attacker who knows (or discovers) these credentials can authenticate to the Tomcat Manager, upload a web shell, and execute commands as root on the underlying appliance. From there, it's game over. Dell's bulletin, released Tuesday, uses careful corporate language about "unauthorized access to the underlying operating system and root-level persistence," but let's be clear about what that means: complete control.

Google Mandiant and the Google Threat Intelligence Group discovered the exploitation while investigating compromised Dell RecoverPoint appliances in an unnamed victim's environment. The threat cluster responsible, tracked as UNC6201, appears to be a China-nexus espionage operation with a familiar playbook. They're exploiting the vulnerability to deploy a backdoor called BRICKSTORM, and more recently, an evolved variant dubbed GRIMBOLT that's specifically designed to evade detection. GRIMBOLT is compiled using C# native ahead-of-time compilation, which makes reverse engineering significantly more difficult and helps the malware blend in with the system's own native files.

The affected versions span a wide range of the RecoverPoint for Virtual Machines product line. Dell advises organizations running version 5.3 SP4 P1 to migrate to version 6.0 SP3 and then apply the 6.0.3.1 HF1 hotfix. Those on various 6.0 releases need to upgrade directly to 6.0.3.1 HF1. Organizations still running version 5.3 SP4 or earlier face a longer remediation path, needing to first upgrade to 5.3 SP4 P1 or a 6.x version before applying the fix. One small mercy: RecoverPoint Classic is not vulnerable to this particular flaw.

What makes this campaign particularly concerning is the operational tradecraft. UNC6201 has been observed using what Mandiant calls "Ghost NICs" — temporary virtual network interfaces created on compromised virtual machines. The attackers use these phantom interfaces to pivot from compromised VMs into internal networks and SaaS environments, then delete them afterward to cover their tracks and frustrate forensic investigation. It's a clever technique that exploits the ephemeral nature of virtualized infrastructure against defenders.

The pattern here echoes tactics seen from UNC5221, another China-nexus cluster known for targeting virtualization technologies and Ivanti zero-day vulnerabilities. While Mandiant assesses the two groups as distinct, the overlap in tooling is notable. CrowdStrike has also linked BRICKSTORM usage to a third Chinese adversary called Warp Panda in campaigns targeting U.S. entities. Whether these are different teams sharing tools or the same operation under different names, the message is consistent: virtualization and backup infrastructure has become prime hunting ground for nation-state actors.

The strategic logic is painfully obvious once you think about it. RecoverPoint appliances, like many enterprise backup and disaster recovery systems, typically lack traditional endpoint detection and response agents. Security teams rarely think to instrument these appliances the same way they would a Windows server or Linux workstation. That makes them ideal beachheads for long-term espionage operations. As Mandiant's Charles Carmakal noted, "Nation-state threat actors continue targeting systems that don't commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times."

CISA moved quickly on this one, adding CVE-2026-22769 to the Known Exploited Vulnerabilities catalog on February 18, 2026, with a compliance deadline of February 21. That gives Federal Civilian Executive Branch agencies exactly three days to patch, which tells you everything you need to know about how seriously the government is taking active Chinese exploitation of virtualization infrastructure.

Mandiant believes fewer than a dozen organizations are confirmed compromised, but they're quick to point out that the full scope of this campaign remains unknown. Given that exploitation has been occurring since mid-2024, the threat actor has had more than enough time to establish deep persistence and conduct extensive espionage operations. Organizations that have previously been targeted by BRICKSTORM are advised to hunt specifically for GRIMBOLT in their environments using the indicators of compromise and YARA rules Mandiant published alongside their report.

The bottom line is straightforward if uncomfortable. If you're running Dell RecoverPoint for Virtual Machines, patch immediately. If you've been running unpatched versions since mid-2024, assume compromise and hunt accordingly. And if you're still treating backup and disaster recovery infrastructure as somehow outside the scope of your security monitoring, it's time to reconsider that position. The attackers certainly have.