Vulnerability Campaign

Dell RecoverPoint credential flaw abused for persistent access

Updated 19.02.2026 17:30

Case score 65

Case score 65 Members 2 Latest activity 19.02.2026 17:30 Active exploitation KEV: CISA KEV Patch available CVSS: 10.0 Critical

Active exploitation KEV: CISA KEV Patch available CVSS: 10.0 Critical

Members 2 First seen 17.02.2026 22:15 Last seen 17.02.2026 22:15 Updated 19.02.2026 17:30

Overview

UNC6201 has been exploiting **CVE-2026-22769** in **Dell RecoverPoint for Virtual Machines** since mid-2024. The hardcoded-credential flaw let an attacker authenticate without authorization, reach the underlying operating system, and establish root-level persistence. After initial access, the operators used **Grimbolt** and earlier **Brickstorm** and pivoted with Ghost NICs on VMware ESXi servers to move deeper into virtualized environments. Dell issued remediation guidance and CISA added **CVE-2026-22769** to the Known Exploited Vulnerabilities catalog with a February 21 deadline for Federal Civilian Executive Branch agencies. Available evidence does not quantify victim count or full compromise scope, but it does show active exploitation against backup and recovery infrastructure.

Key facts

**UNC6201** has been exploiting **CVE-2026-22769** in **Dell RecoverPoint for Virtual Machines** since mid-2024 to gain unauthorized OS access and root-level persistence.
The affected product is **Dell RecoverPoint for Virtual Machines** versions prior to **6.0.3.1 HF1**.
After access, the operators deployed **Grimbolt** and earlier **Brickstorm** and used Ghost NICs on **VMware ESXi** servers to pivot deeper.
**Dell** published remediation guidance and **CISA** added **CVE-2026-22769** to the Known Exploited Vulnerabilities catalog.
CISA set a **February 21** deadline for Federal Civilian Executive Branch agencies to secure affected systems.
Available evidence does not quantify the victim count or the full compromise scope.

Malware context

6 families

Signals

8 derived

Exploitation

Exploitation Active exploitation CVSS 10.0 Critical

CVEs/products

CVE

Victims/regions

Sector government Victim region United States

Remediation

KEV CISA KEV Remediation Patch available

Threat context

Malware

Member happenings

2 related

Vulnerability Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)

Updated 17.02.2026 22:15 Lead Contribution 62

Exploitation Active Exploitation Exploit No Known Public Exploit CVSS 10.0 Critical Patch Patch Available

**Dell RecoverPoint for Virtual Machines** versions prior to **6.0.3.1 HF1** were exposed to a **maximum-severity hardcoded-credential flaw** tracked as **CVE-2026-22769**. The issue let an **unauthenticated remote attacker** who knew the embedded credential gain **unauthorized OS access** and potentially establish **root-level persistence**. The vulnerability was being **actively exploited as a zero-day** starting in **mid-2024**, making remediation urgent. **Dell** said customers should **upgrade or apply one of the remediations** as soon as possible.

View happening

Campaign UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Updated 17.02.2026 22:15 Scoring Support Contribution 2

Campaign Active Objective Espionage

The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtualized environments. Once inside, the operators deployed **Grimbolt** and earlier **Brickstorm** backdoors to maintain access. They also used **Ghost NICs** on **VMware ESXi** servers to pivot deeper into internal and SaaS environments. The activity is notable because it targets appliances that often lack **EDR** coverage and can support long-term persistence.

View happening