A most severity safety vulnerability in Dell RecoverPoint for Digital Machines has been exploited as a zero-day by a suspected China-nexus menace cluster dubbed UNC6201 since mid-2024, in line with a new report from Google Mandiant and Google Menace Intelligence Group (GTIG).
The exercise entails the exploitation of CVE-2026-22769 (CVSS rating: 10.0), a case of hard-coded credentials affecting variations prior to six.0.3.1 HF1. Different merchandise, together with RecoverPoint Basic, aren’t susceptible to the flaw.
“That is thought of essential as an unauthenticated distant attacker with data of the hardcoded credential may probably exploit this vulnerability, resulting in unauthorized entry to the underlying working system and root-level persistence,” Dell mentioned in a bulletin launched Tuesday.
The problem impacts the next merchandise –
- RecoverPoint for Digital Machines Model 5.3 SP4 P1 – Migrate from RecoverPoint for Digital Machines 5.3 SP4 P1 to six.0 SP3, after which improve to six.0.3.1 HF1
- RecoverPoint for Digital Machines Variations 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 – Improve to six.0.3.1 HF1
- RecoverPoint for Digital Machines Variations 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier – Improve to model 5.3 SP4 P1 or a 6.x model, after which apply the required remediation
“Dell recommends that RecoverPoint for Digital Machines be deployed inside a trusted, access-controlled inner community protected by acceptable firewalls and community segmentation,” it famous. “RecoverPoint for Digital Machines is just not meant to be used on untrusted or public networks.”
Per Google, the hard-coded credential pertains to an “admin” consumer for the Apache Tomcat Supervisor occasion that might be used authenticate to the Dell RecoverPoint Tomcat Supervisor, add an internet shell named SLAYSTYLE by way of the “/supervisor/textual content/deploy” endpoint, and execute instructions as root on the equipment to drop the BRICKSTORM backdoor and its newer model dubbed GRIMBOLT.
“It is a C# backdoor compiled utilizing native ahead-of-time (AOT) compilation, making it more durable to reverse engineer,” Mandiant’s Charles Carmakal added.
Google advised The Hacker Information that the exercise has focused organizations throughout North America, with GRIMBOLT incorporating options to higher evade detection and decrease forensic traces on contaminated hosts. “GRIMBOLT is even higher at mixing in with the system’s personal native recordsdata,” it added.
UNC6201 can be assessed to share overlaps with UNC5221, one other China-nexus espionage cluster identified for its exploitation of virtualization applied sciences and Ivanti zero-day vulnerabilities to distribute internet shells and malware households like BEEFLUSH, BRICKSTORM, and ZIPLINE.
Regardless of the tactical similarities, the 2 clusters are assessed to be distinct at this stage. It is price noting that the usage of BRICKSTORM has additionally been linked by CrowdStrike to a 3rd China-aligned adversary tracked as Warp Panda in assaults aimed toward U.S. entities.
A noteworthy facet of the newest set of assaults revolves round UNC6201’s reliance on non permanent digital community interfaces – known as “Ghost NICs” – to pivot from compromised digital machines into inner or SaaS environments, after which delete these NICs to cowl up the tracks in an effort to impede investigation efforts.
“In step with the sooner BRICKSTORM marketing campaign, UNC6201 continues to focus on home equipment that usually lack conventional endpoint detection and response (EDR) brokers to stay undetected for lengthy durations,” Google mentioned.
Precisely how preliminary entry is obtained stays unclear, however like UNC5221, it is also identified to focus on edge home equipment to interrupt into goal networks. An evaluation of the compromised VMware vCenter home equipment has additionally uncovered iptable instructions executed by the use of the online shell to carry out the next set of actions –
- Monitor incoming visitors on port 443 for a particular HEX string
- Add the supply IP handle of that visitors to an inventory and if the IP handle is on the record and connects to port 10443, the connection is ACCEPTED
- Silently redirect subsequent visitors to port 443 to port 10443 for the subsequent 300 seconds (5 minutes) if the IP is on the permitted record
Moreover, the menace actor has been discovered changing outdated BRICKSTORM binaries with GRIMBOLT in September 2025. Whereas GRIMBOLT additionally offers a distant shell functionality and makes use of the identical command-and-control (C2) as BRICKSTORM, it isn’t identified what prompted the shift to the harder-to-detect malware, and whether or not it was a deliberate transition or a response to public disclosures about BRICKSTORM.
“Nation-state menace actors proceed concentrating on techniques that do not generally assist EDR options, which makes it very laborious for sufferer organizations to know they’re compromised and considerably prolongs intrusion dwell instances,” Carmakal mentioned.
The disclosure comes as Dragos warned of assaults mounted by Chinese language teams like Volt Hurricane (aka Voltzite) to compromise Sierra Wi-fi Airlink gateways positioned in electrical and oil and gasoline sectors, adopted by pivoting to engineering workstations to dump config and alarm knowledge.
The exercise, in line with the cybersecurity firm, befell in July 2025. The hacking crew is alleged to accumulate preliminary entry from Sylvanite, which quickly weaponizes edge machine vulnerabilities earlier than patches are utilized and fingers off entry for deeper operational expertise (OT) intrusions.
“Voltzite moved past knowledge exfiltration to direct manipulation of engineering workstations investigating what would set off processes to cease,” Dragos mentioned. ” This represents the removing of the final sensible barrier between having entry and inflicting bodily penalties. Mobile gateways create unauthorized pathways into OT networks bypassing conventional safety controls.”
