china hackers exploit dell vulnerability

Chinese hackers have pounced on a critical vulnerability in Dell RecoverPoint, exploiting hardcoded credentials to gain root-level access to virtual machines. Security researchers at Mandiant identified UNC6201, a China-nexus threat actor, as the culprit behind these attacks that date back to mid-2024.

Guess what they found? A vulnerability so severe it earned a perfect CVSS score of 10.0. That’s as bad as it gets, folks.

The flaw, tracked as CVE-2026-22769, affects Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. It’s a disaster waiting to happen. The attackers didn’t waste time. They used the admin credentials stored in tomcat-users.xml to deploy their Slaystyle web shell through Apache Tomcat Manager.

But they didn’t stop there. These hackers know what they’re doing. They’ve been switching up their toolkit, replacing their Brickstorm backdoor with a fancy new one called Grimbolt in September 2025. Grimbolt is particularly sophisticated as it’s written in C# and uses native AOT compilation techniques that make it harder for security teams to analyze. Classic upgrade move.

They achieved persistence by modifying the convert_hosts.sh script that runs at boot via rc.local. Smart, right?

The exploitation has been limited so far—less than a dozen organizations. But the impact? Massive. With root-level access, attackers can execute arbitrary code and pivot through networks like they own the place. They even created temporary “ghost NICs” on ESXi-hosted VMs for network pivoting. That’s some next-level stuff.

CISA already added this vulnerability to their Known Exploited Vulnerabilities Catalog. Dell rushed out a patch—upgrade to version 6.0.3.1 HF1 if you know what’s good for you.

The worst part? This isn’t just random hacking. UNC6201 specializes in targeting edge appliances like VPN concentrators. Investigators noted multiple web requests to the appliance prior to the actual compromise, showing the methodical reconnaissance approach these actors employ. They’re after persistent access for espionage, not quick hits.

And with backup infrastructure compromised, recovering from these attacks becomes a nightmare. Government and business entities, you’re in their crosshairs. Better check those systems. Now.

Leave a Reply
You May Also Like

Brazen Ransomware Group Uses Polygon Smart Contracts to Evade Takedowns

DeadLock ransomware is redefining cybercrime with its use of blockchain. How can security teams combat this unprecedented threat? Discover the chilling details inside.

Alarming Weekend Theft Exposes Flaw Threatening US Government’s $28b Bitcoin Reserve

A staggering $40 million theft from U.S. Bitcoin reserves reveals alarming vulnerabilities. Can the government secure its national crypto assets? The future hangs in the balance.

Miners Forced to Sell $348m of BTC as Power Costs Devour $7.4b Treasury

Bitcoin miners are in crisis, forced to liquidate assets as costs soar. Can they survive this economic storm and pivot to profitability?

Reactivated Cardano Wallet After Five Years Mysteriously Loses $6 Million in Ada-To-Usda Swap

A dormant Cardano wallet reactivated after five years lost over $6 million in a disastrous trading blunder. What went wrong in this shocking transaction?