A hardcoded credential vulnerability in Dell’s recovery tool for VMs has been exploited in the wild by a believed Chinese APT since mid 2024. 

The critical vulnerability, allocated CVE-2026-22769, has a CVSS score of 10 and impacts users of Dell’s RecoverPoint for Virtual Machines, a tool for backing up VMware virtual machines and disaster recovery. 

The critical Dell vulnerability allows threat actors to gain access to the underlying virtual machine and maintain root-level persistence. 

Dell vulnerability due to hard-coded creds

CVE-2026-22769 affects versions prior to 6.0.3.1 HF1, Dell said in a February 17 advisory, warning customers that an “unauthenticated remote attacker with knowledge of the hardcoded credential could [gain] unauthorized access to the underlying operating system and root-level persistence.”

Google Threat Intelligence Group (GTIG) and Mandiant published a report on the bug on Tuesday – saying a threat group it tracks as NAMENAME had used the Dell vulnerability to move laterally, maintain persistent access, and deploy malware including a novel backdoor tracked as GRIMBOLT

How it works


The vulnerability stems from a security/configuration flaw in Dell’s deployment of Apache Tomcat, which is used to manage the appliance. (Dell left hard-coded default credentials in the Tomcat configuration file.)

These credentials were used by threat actors to gain access to the VM operating systems and maintain root persistence within a VMware virtual machine, according to Dell and Mandiant. 

The earliest exploitation was tracked back to mid-2024 with the Chinese-state-linked threat actor, tracked as UNC6201, using it to move laterally through compromised systems and deploying malware such as Brickstorm, and a new backdoor Mandiant dubbed Grimbolt. 

See also: Tech firms exploited, urged to threat-hunt for deeply persistent “BRICKSTORM” malware

Grimbolt is a new backdoor written in C#, versus Brickstorm’s Go, which is meant to be harder to discover than Brickstorm. The novel backdoor is built with Native AOT-compiled binaries, which makes it more difficult to be discovered by static analysis as it removes “the common intermediate language (CIL) metadata typically associated with C# samples.”

In this particular campaign the security researchers could not identify the initial access vector but suggested that the threat group in question is known to “target edge appliances… for initial access”

The threat report suggests that APTs are advancing their tactics for targeting virtualised architecture, saying UNC6201 is spinning up temporary virtual network ports to move laterally from compromised VMs to internal or SaaS systems.

Mandiant has shared IOCs, Yara rules and more guidance for defenders here.

Dell emphasised in its threat report that “RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation. RecoverPoint for Virtual Machines is not intended for use on untrusted or public networks.”

The link has been copied!