Dell RecoverPoint Zero-Day Actively Exploited Since 2024

Dell RecoverPoint Zero-Day (CVE-2026-22769) Actively Exploited Since 2024

Overview

In February 2026, researchers revealed that a critical zero-day vulnerability in Dell Technologies RecoverPoint for Virtual Machines (RP4VM) had been actively exploited since mid-2024.

The vulnerability, tracked as CVE-2026-22769, received a CVSS score of 10.0, the highest possible severity rating. It allows unauthenticated attackers to achieve remote code execution with root privileges on affected appliances.

Threat activity has been attributed to UNC6201, a China-linked state-sponsored actor tracked by Mandiant.

The severity of the flaw is alarming, but the timeline is even more concerning. Exploitation reportedly began around mid-2024 and continued for approximately 18 months before public disclosure.

This was not opportunistic scanning. It was sustained, disciplined infrastructure compromise.

What Is Dell RecoverPoint for VMs?

RecoverPoint for Virtual Machines is a disaster recovery and replication solution used in VMware environments. It enables continuous data protection, point-in-time recovery, replication across sites, and failover orchestration.

In many enterprise networks, RecoverPoint appliances sit deep inside production infrastructure and operate with elevated privileges. They maintain direct integration with VMware vCenter, ESXi hosts, and replication targets. Because of this, they are implicitly trusted systems.

That trust becomes a strategic weakness when a critical vulnerability exists.

How It Works

CVE-2026-22769 is caused by hardcoded administrative credentials embedded in the Apache Tomcat Manager component of the RecoverPoint appliance.

This means the application shipped with static credentials compiled directly into the software stack. An attacker who discovered or reverse-engineered these credentials could authenticate without possessing legitimate user accounts.

Once authenticated, the attacker could deploy malicious WAR files through the Tomcat Manager interface or directly execute commands on the underlying system. This resulted in remote code execution with root-level privileges.

This was not a configuration mistake by customers. It was a product design flaw.

In observed attacks, threat actors first gained network-level access to the appliance, either externally or from within the internal network. They then used the hardcoded credentials to authenticate, uploaded malicious components, and established persistence.

Researchers documented the deployment of several backdoors, including BRICKSTORM, SLAYSTYLE, and a newer C#-based implant known as GRIMBOLT. These tools allowed command execution, long-term persistence, and stealthy communication with command-and-control infrastructure.

In some cases, attackers modified legitimate system scripts to ensure their implants were executed at boot. There were also reports of “ghost” network interfaces created on virtual machines to enable covert lateral movement inside VMware environments.

This was deliberate, mature tradecraft.

Risks

The primary risk is full system compromise. Root-level access to a disaster recovery appliance gives an attacker control over replication settings, authentication mechanisms, and potentially the integrity of protected virtual machines.

However, the deeper risk lies in what RecoverPoint connects to. These appliances communicate with vCenter, ESXi hosts, backup repositories, and sometimes identity infrastructure. Once compromised, the appliance becomes a pivot point into the broader environment.

Another critical concern is backup integrity. An attacker with control of a disaster recovery system can quietly alter retention policies, delete restore points, corrupt replication processes, or stage destructive actions for later execution.

In a worst-case scenario, an organization may discover during an incident that its recovery infrastructure was compromised long before the breach was detected.

The long exploitation window increases the likelihood of undetected persistence. Even organizations that patch today must consider the possibility that compromise occurred months earlier. Applying a patch does not remove backdoors already deployed.

Real Life Example Usage

The campaign attributed to UNC6201 focused on high-value enterprise environments, particularly those running large VMware deployments.

Rather than deploying ransomware or conducting noisy data theft operations, the attackers used the zero-day to gain strategic access. After exploitation, they installed backdoors such as BRICKSTORM and GRIMBOLT and leveraged stealth techniques to move laterally across the network.

There were no ransom notes. No immediate service disruptions. No public leaks.

This pattern aligns with cyber-espionage objectives rather than financially motivated crime. The estimated 18-month dwell time indicates operational discipline and strong stealth capabilities.

The compromise of disaster recovery infrastructure provides not only access, but leverage. It positions the attacker inside the very systems designed to restore operations during a crisis.

Recommendations

Organizations running Dell RecoverPoint for VMs should approach this issue as a potential breach scenario rather than a routine vulnerability patch.

The first step is upgrading to the latest patched version provided by Dell. If patching cannot be performed immediately, vendor-provided mitigation steps should be applied and access to the appliance tightly restricted.

Beyond patching, organizations should perform retrospective analysis going back to mid-2024. Administrative logs, unexpected deployments through the Tomcat Manager interface, modified boot scripts, unusual outbound connections, and new or unauthorized service accounts should all be reviewed.

Infrastructure appliances should be segmented within dedicated management networks and continuously monitored through centralized logging and SIEM systems. These systems should not be directly exposed to the internet and should require strong access controls.

Finally, backup integrity must be validated. Restore points should be tested, replication configurations verified, and retention settings reviewed for unauthorized modification.

Strategic Takeaway

CVE-2026-22769 reflects a broader shift in attacker priorities. Modern threat actors are increasingly targeting infrastructure control planes rather than endpoints.

Backup systems, hypervisors, and orchestration platforms are high-impact targets because they provide centralized control and elevated privileges. A vulnerability in such systems is not simply another CVE. It is a strategic access vector.

For organizations operating VMware-based environments with Dell RecoverPoint, the question is no longer just whether patches have been applied.

The more important question is whether the appliance was ever exposed - and whether there is high confidence it was never accessed.