Dell has disclosed a critical vulnerability in its RecoverPoint for Virtual Machines product—a server-side tool used by organizations to back up and recover VMware virtual machines. This does not affect Dell laptops, desktops, or consumer devices. The flaw carries the highest possible severity rating, and security researchers have confirmed that attackers have been exploiting it since at least mid-2024.
On February 18, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog—the government's official list of flaws that are confirmed to be under active attack. Federal agencies have been ordered to patch by February 21, just three days after the announcement.
Organizations running Dell RecoverPoint for Virtual Machines should treat this as urgent.
What the Vulnerability Is
The flaw, tracked as CVE-2026-22769, is a hardcoded credential vulnerability. In plain terms, that means the software shipped with a built-in username and password that cannot be changed by the user—and that an attacker who knows this credential can use it to log in remotely without any authentication.
It has been assigned a CVSS score of 10.0 out of 10.0—the maximum severity rating. Dell's own advisory, DSA-2026-079, describes it as critical: "An unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence."
Root-level access means an attacker gains full control of the appliance—the ability to read, modify, or delete anything on it, and to use it as a foothold to move deeper into the network.
The technical root cause involves hardcoded default credentials for the admin account in the Apache Tomcat Manager component bundled with RecoverPoint. An attacker can authenticate to the Tomcat Manager interface, upload a malicious application, and execute commands as root on the appliance.
Who Has Been Exploiting It
According to research published by Mandiant and the Google Threat Intelligence Group (GTIG), the vulnerability has been actively exploited by a suspected China-linked threat group tracked as UNC6201. This group has been targeting the flaw since at least mid-2024—meaning it was exploited as a zero-day for roughly 20 months before a patch became available.
Mandiant reported that the campaign targeted organizations across North America, with a focus on legal firms, technology companies, and software-as-a-service providers. The primary objective appears to be stealing intellectual property, sensitive data, and the contents of senior leaders' email inboxes.
CISA Executive Assistant Director for Cybersecurity Nick Andersen confirmed the agency is "actively combating the multi-year Brickstorm threat campaign."
We've seen this pattern before with state-sponsored actors targeting infrastructure components. The SolarWinds breach demonstrated how attackers exploit trusted IT management tools to gain deep access to organizations, and the more recent Notepad++ supply chain compromise showed that even widely trusted utilities can become attack vectors when infrastructure is targeted.
How the Attacks Work
The attack chain observed by Mandiant proceeds through several stages, each building on the last:
Initial Compromise
The attackers use the hardcoded credentials to authenticate to the RecoverPoint appliance's Apache Tomcat Manager. From there, they upload a malicious WAR file (a type of Java web application) containing a web shell called SLAYSTYLE. This web shell gives them persistent remote command execution on the appliance.
Backdoor Deployment
With initial access established, UNC6201 deployed BRICKSTORM—a backdoor with variants written in Go and Rust—designed for persistent access and remote command execution. In September 2025, researchers observed the group replacing older BRICKSTORM backdoors with a newer tool called GRIMBOLT—a C# backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX, which makes it harder for security tools to detect through static analysis.
Persistence
The attackers established persistence by modifying a legitimate shell script called convert_hosts.sh that runs automatically when the appliance boots. This meant the backdoor would survive reboots and continue operating undetected.
Lateral Movement
Perhaps most concerning, UNC6201 used a technique called "Ghost NICs"—creating temporary virtual network interfaces on VMware ESXi servers. These hidden network connections allowed the attackers to move laterally through virtualized environments. After completing their activities, they deleted the NICs, making the intrusion harder to detect and investigate.
The group also used iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances—another layer of stealth designed to avoid detection.
Why This Matters Beyond Large Enterprises
Dell RecoverPoint for Virtual Machines is a disaster recovery product used primarily in VMware environments. While it may sound like enterprise-only infrastructure, it touches a broader issue that affects organizations of all sizes: the security of your backup and recovery systems.
Backup infrastructure occupies a uniquely dangerous blind spot. These systems are often configured once and rarely updated. They typically sit outside the scope of endpoint detection and response (EDR) tools. And because they're designed for disaster recovery, they have deep access to the data and systems they're meant to protect.
As we discussed in our article on backup and recovery assumptions that often fail, many organizations treat backup systems as "set and forget" infrastructure. This incident demonstrates why that approach creates risk—backup appliances are high-value targets precisely because they hold copies of critical data and are often overlooked in security monitoring.
If your organization doesn't use Dell RecoverPoint specifically, this incident is still worth understanding. The broader lesson applies to any appliance or infrastructure component that sits outside your normal patch cycle. We explored this in our piece on third-party vendor risk from an SMB perspective.
What's Affected and How to Remediate
The vulnerability affects Dell RecoverPoint for Virtual Machines in versions prior to 6.0.3.1 HF1. Specifically, the affected version lines include:
- 6.0.x line: Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1
- 5.3.x line: Version 5.3 SP4 P1 and earlier builds
Not affected: Dell RecoverPoint Classic appliances (both physical and virtual) are not impacted by this vulnerability.
Remediation Steps
Primary fix: Upgrade to Dell RecoverPoint for Virtual Machines version 6.0.3.1 HF1. This is the version that removes the hardcoded credentials.
For organizations on the 5.3.x line: Dell advises upgrading to version 5.3 SP4 P1 first, then migrating to 6.0 SP3 before upgrading to 6.0.3.1 HF1. Alternatively, Dell provides a remediation script that can be applied as an interim measure.
Interim workaround: If an immediate upgrade is not feasible, Dell has published a remediation script for DSA-2026-079 that should be applied as soon as possible. Note that if a RecoverPoint appliance is reimaged on version 6.0 SP3 P1 or older, the remediation script must be run again manually.
Network hardening: Dell recommends that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation. RecoverPoint is not intended for use on untrusted or public networks.
Dell's full advisory (DSA-2026-079) and the remediation script are available through Dell's support knowledge base.
How to Tell If You've Been Compromised
Given that exploitation has been ongoing since mid-2024, organizations running affected versions should not assume they are safe simply because they haven't noticed anything unusual. The attackers behind this campaign specifically chose infrastructure that typically lacks traditional security monitoring.
Mandiant and GTIG have published indicators of compromise (IOCs) and YARA rules for detecting the GRIMBOLT backdoor and the SLAYSTYLE web shell. Organizations with in-house security teams or managed security providers should review these indicators against their environments.
Signs that may warrant further investigation include:
- Unexpected WAR files deployed in the Tomcat Manager on RecoverPoint appliances
- Modifications to the
convert_hosts.shscript or other boot-time scripts - Unusual network connections from RecoverPoint appliances to external IP addresses
- Evidence of temporary virtual network interfaces being created and deleted on ESXi hosts
If you suspect compromise, having an incident response process in place makes a meaningful difference in how quickly you can contain the damage. We outlined the fundamentals in our piece on thinking about incident response before something happens.
The Bigger Picture: Patch Management Still Matters
This incident reinforces a point that comes up repeatedly in cybersecurity: keeping systems patched is one of the most effective defenses available, and it's one that many organizations still struggle with—particularly for infrastructure components that don't get the same attention as workstations and servers.
Hardcoded credentials should not exist in modern software. The fact that a backup and recovery product shipped with a default admin password that couldn't be changed represents a significant design failure. But the reality is that these kinds of flaws exist across many products, and the only practical defense is a consistent process for identifying and applying security updates.
As we discussed in our article on the need for regular software updates and patch management, the challenge for most businesses isn't understanding that patching matters—it's building the process to do it consistently, especially for the less visible components of the IT environment.
The researchers also noted that UNC6201 "continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods." This is a deliberate strategy: attackers look for the gaps in an organization's security coverage. Backup appliances, network devices, and other infrastructure components that fall outside the scope of regular monitoring are exactly where sophisticated attackers establish their footholds.
This aligns with the zero-trust approach to security—the principle that no system, regardless of where it sits on the network, should be automatically trusted.
What Organizations Should Do Now
For organizations running Dell RecoverPoint for Virtual Machines:
- Patch immediately. Upgrade to version 6.0.3.1 HF1 or apply Dell's remediation script if an immediate upgrade isn't possible.
- Check for compromise. Review Mandiant's published IOCs and YARA rules against your environment, given that exploitation has been ongoing since mid-2024.
- Review network segmentation. Ensure that RecoverPoint appliances are isolated within trusted, access-controlled network segments and are not exposed to untrusted networks.
- Audit your infrastructure inventory. Use this as a prompt to identify other appliances and infrastructure components that may be outside your regular patch cycle.
For organizations that don't use Dell RecoverPoint but rely on other backup and disaster recovery tools:
- Verify your backup infrastructure is current. Check that your backup and recovery systems are running the latest available firmware and software versions.
- Include infrastructure appliances in your patch management process. Backup appliances, network equipment, and management tools need the same patch discipline as endpoints and servers.
- Monitor vendor security advisories. Subscribe to security notifications from your infrastructure vendors so you're aware of critical patches when they're released.
The Dell RecoverPoint case is a clear example of why "secondary" infrastructure—the systems that sit behind the scenes supporting backup, recovery, and management—can become a primary target when it's left unpatched and unmonitored. Attackers are specifically looking for these blind spots. Closing them is one of the most practical steps any organization can take.
This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified cybersecurity professionals to assess their specific exposure, determine appropriate remediation steps, and evaluate whether compromise may have occurred.