china hackers exploit dell vulnerability

Chinese hackers have pounced on a critical vulnerability in Dell RecoverPoint, exploiting hardcoded credentials to gain root-level access to virtual machines. Security researchers at Mandiant identified UNC6201, a China-nexus threat actor, as the culprit behind these attacks that date back to mid-2024.

Guess what they found? A vulnerability so severe it earned a perfect CVSS score of 10.0. That’s as bad as it gets, folks.

The flaw, tracked as CVE-2026-22769, affects Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. It’s a disaster waiting to happen. The attackers didn’t waste time. They used the admin credentials stored in tomcat-users.xml to deploy their Slaystyle web shell through Apache Tomcat Manager.

But they didn’t stop there. These hackers know what they’re doing. They’ve been switching up their toolkit, replacing their Brickstorm backdoor with a fancy new one called Grimbolt in September 2025. Grimbolt is particularly sophisticated as it’s written in C# and uses native AOT compilation techniques that make it harder for security teams to analyze. Classic upgrade move.

They achieved persistence by modifying the convert_hosts.sh script that runs at boot via rc.local. Smart, right?

The exploitation has been limited so far—less than a dozen organizations. But the impact? Massive. With root-level access, attackers can execute arbitrary code and pivot through networks like they own the place. They even created temporary “ghost NICs” on ESXi-hosted VMs for network pivoting. That’s some next-level stuff.

CISA already added this vulnerability to their Known Exploited Vulnerabilities Catalog. Dell rushed out a patch—upgrade to version 6.0.3.1 HF1 if you know what’s good for you.

The worst part? This isn’t just random hacking. UNC6201 specializes in targeting edge appliances like VPN concentrators. Investigators noted multiple web requests to the appliance prior to the actual compromise, showing the methodical reconnaissance approach these actors employ. They’re after persistent access for espionage, not quick hits.

And with backup infrastructure compromised, recovering from these attacks becomes a nightmare. Government and business entities, you’re in their crosshairs. Better check those systems. Now.

Leave a Reply
You May Also Like

Zerolend to Wind Down After 3 Years — Why Are Users Being Told to Withdraw Funds?

Zerolend’s sudden closure leaves users scrambling. What caused this stunning downfall and what does it mean for your investments? Act now before it’s too late.

Controversial Trader Exploits Binance New Year Glitch, Earns $1.5M in Under 24 Hours

A trader exploits a Binance glitch to pocket $1.5M in under an hour—how did they outsmart the system? The shocking details inside.

AI Agents Break Smart Contract Security for Just $1.22 — a Terrifying Economic Reality

AI hacking is revolutionizing cybercrime, making traditional methods obsolete. Can your digital assets survive this evolving threat? The answer may surprise you.

Thousands of AI Agents Join Viral Network, Teaching Each Other Key Theft and Demanding Bitcoin

A viral network of AI agents is teaching each other key theft and demanding Bitcoin. What could this mean for our digital future?