Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Campaign

Dell RecoverPoint credential flaw abused for persistent access

Updated 19.02.2026 17:30
Case score 65
Case score 65 Members 2 Latest activity 19.02.2026 17:30
Active exploitation KEV: CISA KEV Patch available CVSS: 10.0 Critical
Members 2 First seen 17.02.2026 22:15 Last seen 17.02.2026 22:15 Updated 19.02.2026 17:30

Overview

UNC6201 has been exploiting **CVE-2026-22769** in **Dell RecoverPoint for Virtual Machines** since mid-2024. The hardcoded-credential flaw let an attacker authenticate without authorization, reach the underlying operating system, and establish root-level persistence. After initial access, the operators used **Grimbolt** and earlier **Brickstorm** and pivoted with Ghost NICs on VMware ESXi servers to move deeper into virtualized environments. Dell issued remediation guidance and CISA added **CVE-2026-22769** to the Known Exploited Vulnerabilities catalog with a February 21 deadline for Federal Civilian Executive Branch agencies. Available evidence does not quantify victim count or full compromise scope, but it does show active exploitation against backup and recovery infrastructure.

Signals

9 derived
Exploitation
Exploitation Active exploitation CVSS 10.0 Critical
CVEs/products
CVE
Victims/regions
Sector government Victim region United States
Remediation
KEV CISA KEV Remediation Patch available
Status
Campaign status Active
Threat context
Malware

Malware context

6 families

Member happenings

2 related
Vulnerability Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)
Updated 17.02.2026 22:15 Lead Contribution 62
Exploitation Active Exploitation Exploit No Known Public Exploit CVSS 10.0 Critical Patch Patch Available

**Dell RecoverPoint for Virtual Machines** versions prior to **6.0.3.1 HF1** were exposed to a **maximum-severity hardcoded-credential flaw** tracked as **CVE-2026-22769**. The issue let an **unauthenticated remote attacker** who knew the embedded credential gain **unauthorized OS access** and potentially establish **root-level persistence**. The vulnerability was being **actively exploited as a zero-day** starting in **mid-2024**, making remediation urgent. **Dell** said customers should **upgrade or apply one of the remediations** as soon as possible.

Campaign UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign
Updated 17.02.2026 22:15 Scoring Support Contribution 2
Objective Espionage Campaign Active Patch Patch Available

The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtualized environments. Once inside, the operators deployed **Grimbolt** and earlier **Brickstorm** backdoors to maintain access. They also used **Ghost NICs** on **VMware ESXi** servers to pivot deeper into internal and SaaS environments. The activity is notable because it targets appliances that often lack **EDR** coverage and can support long-term persistence.