Dell RecoverPoint for Virtual Machines hardcoded-credential vulnerability (CVE-2026-22769)
Vulnerability
Summary
Hide ▲
Show ▼
Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 were exposed to a maximum-severity hardcoded-credential flaw tracked as CVE-2026-22769. The issue let an unauthenticated remote attacker who knew the embedded credential gain unauthorized OS access and potentially establish root-level persistence. The vulnerability was being actively exploited as a zero-day starting in mid-2024, making remediation urgent. Dell said customers should upgrade or apply one of the remediations as soon as possible.
Cases
Related Happenings
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
First: 19.03.2026 20:52
Last: 19.03.2026 20:52
Sources 1
About this happening:
**54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical AnalysisAbout this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
CISA updates KEV entry for CVE-2026-1731
Public Sector Action
First: 20.02.2026 17:45
Last: 20.02.2026 17:45
Sources 1
About this happening:
**CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
CISA updates KEV entry for CVE-2026-1731
Public Sector ActionAbout this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
CISA KEV patch order for Dell RecoverPoint
Public Sector Action
First: 19.02.2026 17:30
Last: 19.02.2026 17:30
Sources 1
How related:
CISA has now added the security flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening:
**CISA** added **CVE-2026-22769** to the **KEV catalog** and ordered **Federal Civilian Executive Branch** agencies to secure their networks by **February 21**. The directive unde...
CISA KEV patch order for Dell RecoverPoint
Public Sector ActionHow related: CISA has now added the security flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
About this happening: **CISA** added **CVE-2026-22769** to the **KEV catalog** and ordered **Federal Civilian Executive Branch** agencies to secure their networks by **February 21**. The directive unde...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware Activity
First: 18.02.2026 12:32
Last: 18.02.2026 12:32
Sources 1
How related:
The threat actor has also been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025.
About this happening:
**BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances
Malware ActivityHow related: The threat actor has also been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025.
About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...
Timeline
-
19.02.2026 17:30 1 articles · 3mo ago
CISA orders FCEB agencies to patch CVE-2026-22769
Legal Policy Action UpdateCISA added CVE-2026-22769 in Dell RecoverPoint for Virtual Machines to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure their networks by the end of Saturday, February 21, under Binding Operational Directive 22-01; CISA warned that the flaw is actively exploited and advised agencies to apply vendor mitigations or stop using the product if mitigations are unavailable.
Show sources
- CISA orders feds to patch actively exploited Dell flaw within 3 days — www.bleepingcomputer.com — 19.02.2026 17:30
-
17.02.2026 22:15 1 articles · 3mo ago
UNC6201 exploitation of Dell RecoverPoint flaw revealed
Initial DisclosureMandiant and the Google Threat Intelligence Group say UNC6201 has quietly exploited CVE-2026-22769 in Dell RecoverPoint for Virtual Machines since mid-2024, where a hardcoded credential in versions prior to 6.0.3.1 HF1 could let an unauthenticated remote attacker gain unauthorized access and root-level persistence; after access, the group deployed Grimbolt and Brickstorm, used Ghost NICs on VMware ESXi servers, and showed overlaps with UNC5221, Silk Typhoon, Warp Panda, and related activity targeting multiple U.S. organizations.
Show sources
- Chinese hackers exploiting Dell zero-day flaw since mid-2024 — www.bleepingcomputer.com — 17.02.2026 22:15