Vulnerability
Campaign
Dell RecoverPoint credential flaw abused for persistent access
Updated 19.02.2026 17:30
Case score 65
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 65
- Main story score
- 62
- Related evidence lift
- +3 / 20
- Contributing updates
- 1
- Context updates
- 0
Top contributors
- Vulnerability Critical hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines; active zero-day exploitation began in mid-2024 and enabled OS access and root-level persistence. main
- Campaign Direct follow-on campaign record for the same Dell RecoverPoint exploitation path; adds post-compromise tooling, persistence, and ESXi pivoting detail. contributes
Case score 65
Members 2
Latest activity 19.02.2026 17:30
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 10.0 Critical
Members 2
First seen 17.02.2026 22:15
Last seen 17.02.2026 22:15
Updated 19.02.2026 17:30
Overview
UNC6201 has been exploiting **CVE-2026-22769** in **Dell RecoverPoint for Virtual Machines** since mid-2024. The hardcoded-credential flaw let an attacker authenticate without authorization, reach the underlying operating system, and establish root-level persistence. After initial access, the operators used **Grimbolt** and earlier **Brickstorm** and pivoted with Ghost NICs on VMware ESXi servers to move deeper into virtualized environments.
Dell issued remediation guidance and CISA added **CVE-2026-22769** to the Known Exploited Vulnerabilities catalog with a February 21 deadline for Federal Civilian Executive Branch agencies. Available evidence does not quantify victim count or full compromise scope, but it does show active exploitation against backup and recovery infrastructure.
UNC6201 has been exploiting **CVE-2026-22769** in **Dell RecoverPoint for Virtual Machines** since mid-2024. The flaw is a hardcoded-credential issue in versions prior to **6.0.3.1 HF1** that can let an unauthenticated remote attacker reach the underlying operating system and establish root-level persistence. After initial access, the operators deployed **Grimbolt** and earlier **Brickstorm** to keep access. They also used Ghost NICs on **VMware ESXi** servers to pivot deeper into virtualized environments.
Dell published remediation guidance, and CISA added **CVE-2026-22769** to the Known Exploited Vulnerabilities catalog with a February 21 deadline for Federal Civilian Executive Branch agencies. The affected surface is backup and recovery infrastructure for VMware virtual machines, so compromise can preserve attacker access around core recovery workflows. Available evidence points to a sustained intrusion operation rather than a short-lived exploit burst. The full victim count, exact reach, and every downstream impact remain unquantified in available material.
Signals
9 derivedExploitation
Exploitation
Active exploitation
CVSS
10.0 Critical
CVEs/products
CVE
Victims/regions
Sector
government
Victim region
United States
Remediation
KEV
CISA KEV
Remediation
Patch available
Status
Campaign status
Active
Threat context
Malware
Malware context
6 familiesMember happenings
2 related
Vulnerability
Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
CVSS
10.0 Critical
Patch
Patch Available
Vulnerability
Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)
Exploitation
Active Exploitation
Exploit
No Known Public Exploit
CVSS
10.0 Critical
Patch
Patch Available
Campaign
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Objective
Espionage
Campaign
Active
Patch
Patch Available
Campaign
UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Objective
Espionage
Campaign
Active
Patch
Patch Available