Chinese hackers have pounced on a critical vulnerability in Dell RecoverPoint, exploiting hardcoded credentials to gain root-level access to virtual machines. Security researchers at Mandiant identified UNC6201, a China-nexus threat actor, as the culprit behind these attacks that date back to mid-2024.
Guess what they found? A vulnerability so severe it earned a perfect CVSS score of 10.0. That’s as bad as it gets, folks.
The flaw, tracked as CVE-2026-22769, affects Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. It’s a disaster waiting to happen. The attackers didn’t waste time. They used the admin credentials stored in tomcat-users.xml to deploy their Slaystyle web shell through Apache Tomcat Manager.
But they didn’t stop there. These hackers know what they’re doing. They’ve been switching up their toolkit, replacing their Brickstorm backdoor with a fancy new one called Grimbolt in September 2025. Grimbolt is particularly sophisticated as it’s written in C# and uses native AOT compilation techniques that make it harder for security teams to analyze. Classic upgrade move.
They achieved persistence by modifying the convert_hosts.sh script that runs at boot via rc.local. Smart, right?
The exploitation has been limited so far—less than a dozen organizations. But the impact? Massive. With root-level access, attackers can execute arbitrary code and pivot through networks like they own the place. They even created temporary “ghost NICs” on ESXi-hosted VMs for network pivoting. That’s some next-level stuff.
CISA already added this vulnerability to their Known Exploited Vulnerabilities Catalog. Dell rushed out a patch—upgrade to version 6.0.3.1 HF1 if you know what’s good for you.
The worst part? This isn’t just random hacking. UNC6201 specializes in targeting edge appliances like VPN concentrators. Investigators noted multiple web requests to the appliance prior to the actual compromise, showing the methodical reconnaissance approach these actors employ. They’re after persistent access for espionage, not quick hits.
And with backup infrastructure compromised, recovering from these attacks becomes a nightmare. Government and business entities, you’re in their crosshairs. Better check those systems. Now.
