CVE-2026-22769 is a zero-day vulnerability in Dell RecoverPoint for Virtual Machines, disclosed in February 2026 but exploited since mid-2024 by the UNC6201 threat cluster, linked to China. The vulnerability stems from hard-coded credentials for an 'admin' user in the Apache Tomcat Manager component embedded in the appliance. This flaw allows unauthenticated remote attackers to authenticate to the Tomcat Manager interface and upload a malicious web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint. Once deployed, the attacker can execute arbitrary commands as root on the underlying operating system, leading to full system compromise and root-level persistence. The attackers deploy the BRICKSTORM backdoor, a C# native ahead-of-time compiled malware designed to evade reverse engineering and detection. In September 2025, attackers began replacing BRICKSTORM with a more stealthy variant called GRIMBOLT, which blends better with native system files and maintains the same command-and-control infrastructure. UNC6201 uses advanced operational security techniques, including temporary virtual network interfaces (Ghost NICs) to pivot from compromised VMs into internal or SaaS environments and then delete these interfaces to cover tracks. The threat actors also manipulate iptables rules to selectively redirect and filter network traffic, further complicating detection. The vulnerability affects multiple versions of RecoverPoint for VMs prior to 6.0.3.1 HF1, with Dell advising upgrades and deployment within trusted, segmented networks. The threat cluster shares some tactics with UNC5221 but is distinct. The lack of traditional endpoint detection on these appliances allows prolonged undetected intrusions. This campaign highlights ongoing nation-state targeting of virtualization infrastructure to gain persistent footholds and conduct espionage or sabotage.

For European organizations, the exploitation of this vulnerability poses severe risks including unauthorized root-level access to critical data replication and disaster recovery infrastructure. Compromise of Dell RecoverPoint for VMs appliances can lead to data exfiltration, manipulation, or destruction of replicated data, undermining business continuity and disaster recovery capabilities. The stealthy nature of the backdoors and lack of endpoint detection on these appliances increase the risk of long-term undetected intrusions, enabling espionage or sabotage. Critical sectors such as finance, telecommunications, energy, and government that rely on virtualized storage replication are particularly vulnerable. The use of advanced evasion techniques and network pivoting could facilitate lateral movement into internal networks or cloud environments, amplifying the impact. The threat also raises concerns about supply chain and virtualization infrastructure security, potentially affecting multi-national organizations with distributed data centers. The persistence and sophistication of UNC6201 indicate a high likelihood of targeted attacks against high-value European assets, potentially disrupting operations and exposing sensitive information.

1. Immediately upgrade Dell RecoverPoint for Virtual Machines to version 6.0.3.1 HF1 or later, or apply interim patches as recommended by Dell. 2. Deploy RecoverPoint appliances strictly within trusted, access-controlled internal networks with robust firewall rules and network segmentation to isolate management interfaces from untrusted networks. 3. Disable or restrict access to the Apache Tomcat Manager interface wherever possible, and monitor for any unauthorized use or deployment attempts. 4. Implement network monitoring specifically for unusual iptables modifications and traffic redirection patterns indicative of this threat. 5. Conduct thorough forensic analysis and integrity checks on RecoverPoint appliances to detect presence of BRICKSTORM or GRIMBOLT backdoors, including scanning for web shells and anomalous processes. 6. Enhance logging and alerting on virtualization infrastructure components to detect suspicious activities early. 7. Employ network segmentation to limit lateral movement from compromised virtual machines to critical internal or SaaS environments. 8. Regularly review and rotate credentials, avoiding hard-coded or default credentials in any management interfaces. 9. Coordinate with Dell support and threat intelligence providers for updated indicators of compromise and remediation guidance. 10. Consider deploying host-based or network-based anomaly detection solutions tailored for virtualization appliances despite typical lack of EDR support.