A critical zero-day exploitation campaign targeting Dell RecoverPoint for Virtual Machines. The vulnerability, tracked as CVE-2026-22769, carries a maximum CVSSv3.1 score of 10.0 and has been under active exploitation since at least mid-2024.
Incident response engagements attribute this activity to UNC6201, a suspected PRC-nexus threat cluster that shares notable overlaps with the group publicly known as Silk Typhoon (UNC5221).
Mandiant and the Google Threat Intelligence Group (GTIG) observed that the attackers have utilized this flaw to move laterally across networks, maintain persistent access, and deploy a suite of sophisticated malware, including SLAYSTYLE, BRICKSTORM, and a novel backdoor identified as GRIMBOLT.
While the initial access vector remains unconfirmed, UNC6201 is known for targeting edge appliances like VPN concentrators to establish its foothold.
Hardcoded Default Admin Credentials
The vulnerability stems from a critical oversight in the configuration of the Apache Tomcat Manager within Dell RecoverPoint appliances. Security researchers discovered that the software contained hardcoded default credentials for the admin user, located in the /home/kos/tomcat9/tomcat-users.xml file.
This configuration flaw allows unauthenticated remote attackers to log into the Tomcat Manager, a component used for deploying software updates and management tasks. Once authenticated, threat actors can abuse the /manager/text/deploy endpoint to upload malicious WAR files.
In observed attacks, this mechanism was used to deploy the SLAYSTYLE web shell, granting the attackers root-level command execution capabilities on the compromised appliance.
A significant development in this campaign is the threat actor’s transition from the BRICKSTORM backdoor to a new malware family dubbed GRIMBOLT.
Observed in September 2025, this shift represents a maturation in tradecraft designed to evade detection and optimize performance on resource-constrained edge devices. Unlike traditional .NET malware that relies on Just-In-Time (JIT) compilation, GRIMBOLT is written in C# and compiled using Native Ahead-of-Time (AOT) compilation.
This method converts the code directly into machine-native code during the build process, removing Common Intermediate Language (CIL) metadata that security tools typically scan. The malware is further packed with UPX to complicate static analysis, reads the Mandiant report.
To maintain persistence, UNC6201 modifies the legitimate convert_hosts.sh script, ensuring the backdoor executes automatically at system boot via rc.local.
Beyond malware deployment, UNC6201 has demonstrated advanced networking tactics to navigate compromised environments stealthily. Mandiant analysts observed the creation of “Ghost NICs,” temporary network ports configured on existing virtual machines within ESXi servers.
These hidden interfaces allow the attackers to pivot silently between internal networks and Software-as-a-Service (SaaS) infrastructure without alerting standard network monitoring tools.
Furthermore, the attackers employ a stealthy traffic management technique known as Single Packet Authorization (SPA) using iptables. Forensic analysis of Systemd Journals revealed that the attackers monitor incoming traffic on port 443 for a specific hexadecimal string.
When this magic packet is detected, the source IP address is added to an allowlist. Subsequent connections from that IP to port 10443 are then accepted, while traffic from non-approved IPs is silently redirected.
This technique effectively hides the command and control (C2) channel from casual observation and automated scanning.
Vulnerability Details
CVE IDCVSS ScoreDescriptionCVE-2026-2276910.0 (Critical)A hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines allows unauthenticated remote attackers to access the underlying OS and establish root-level persistence.
Affected Versions
Dell has released urgent mitigation guidance for affected customers. The following versions require immediate attention:
ProductAffected VersionsRemediation ActionRecoverPoint for Virtual Machines5.3 SP4 P1Migrate to 6.0 SP3, then upgrade to 6.0.3.1 HF1 OR apply remediation script DSA-2026-079.RecoverPoint for Virtual Machines6.0 through 6.0 SP3 P1Upgrade to 6.0.3.1 HF1 OR apply remediation script DSA-2026-079.RecoverPoint for Virtual Machines5.3 SP4 and earlierUpgrade to 5.3 SP4 P1 or a 6.x version, then apply the remediation script.
Indicators of Compromise (IOCs)
The following file and network indicators have been associated with this campaign.
Indicator ValueTypeMalware FamilyFile Name / Context24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0cSHA256GRIMBOLTsupportdfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591SHA256GRIMBOLTout_elf_292fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624aSHA256SLAYSTYLEdefault_jsp.javaaa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878SHA256BRICKSTORMN/A2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65dfSHA256BRICKSTORMsplisten320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759SHA256BRICKSTORMN/A90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035SHA256BRICKSTORMN/A45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830SHA256BRICKSTORMN/Awss://149.248.11.71/rest/apisessionC2 EndpointGRIMBOLTN/A149.248.11.71C2 IPGRIMBOLTN/A
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Dell 0-Day Vulnerability Exploited by Chinese Hackers since mid-2024 to Deploy Malware appeared first on Cyber Security News.
