A most severity safety vulnerability in Dell RecoverPoint for Digital Machines has been exploited as a zero-day by a suspected China-nexus menace cluster dubbed UNC6201 since mid-2024, based on a new report from Google Mandiant and Google Risk Intelligence Group (GTIG).
The exercise entails the exploitation of CVE-2026-22769 (CVSS rating: 10.0), a case of hard-coded credentials affecting variations prior to six.0.3.1 HF1. Different merchandise, together with RecoverPoint Traditional, aren’t weak to the flaw.
“That is thought-about essential as an unauthenticated distant attacker with data of the hardcoded credential might doubtlessly exploit this vulnerability, resulting in unauthorized entry to the underlying working system and root-level persistence,” Dell stated in a bulletin launched Tuesday.
The difficulty impacts the next merchandise –
- RecoverPoint for Digital Machines Model 5.3 SP4 P1 – Migrate from RecoverPoint for Digital Machines 5.3 SP4 P1 to six.0 SP3, after which improve to six.0.3.1 HF1
- RecoverPoint for Digital Machines Variations 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 – Improve to six.0.3.1 HF1
- RecoverPoint for Digital Machines Variations 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier – Improve to model 5.3 SP4 P1 or a 6.x model, after which apply the mandatory remediation
“Dell recommends that RecoverPoint for Digital Machines be deployed inside a trusted, access-controlled inside community protected by acceptable firewalls and community segmentation,” it famous. “RecoverPoint for Digital Machines isn’t meant to be used on untrusted or public networks.”
Per Google, the hard-coded credential pertains to an “admin” consumer for the Apache Tomcat Supervisor occasion that may very well be used authenticate to the Dell RecoverPoint Tomcat Supervisor, add an internet shell named SLAYSTYLE by way of the “/supervisor/textual content/deploy” endpoint, and execute instructions as root on the equipment to drop the BRICKSTORM backdoor and its newer model dubbed GRIMBOLT.
“This can be a C# backdoor compiled utilizing native ahead-of-time (AOT) compilation, making it tougher to reverse engineer,” Mandiant’s Charles Carmakal added.
Google instructed The Hacker Information that the exercise has focused organizations throughout North America, with GRIMBOLT incorporating options to raised evade detection and decrease forensic traces on contaminated hosts. “GRIMBOLT is even higher at mixing in with the system’s personal native information,” it added.
UNC6201 can be assessed to share overlaps with UNC5221, one other China-nexus espionage cluster recognized for its exploitation of virtualization applied sciences and Ivanti zero-day vulnerabilities to distribute internet shells and malware households like BEEFLUSH, BRICKSTORM, and ZIPLINE.
Regardless of the tactical similarities, the 2 clusters are assessed to be distinct at this stage. It is price noting that the usage of BRICKSTORM has additionally been linked by CrowdStrike to a 3rd China-aligned adversary tracked as Warp Panda in assaults geared toward U.S. entities.
A noteworthy side of the most recent set of assaults revolves round UNC6201’s reliance on non permanent digital community interfaces – known as “Ghost NICs” – to pivot from compromised digital machines into inside or SaaS environments, after which delete these NICs to cowl up the tracks in an effort to impede investigation efforts.
“According to the sooner BRICKSTORM marketing campaign, UNC6201 continues to focus on home equipment that sometimes lack conventional endpoint detection and response (EDR) brokers to stay undetected for lengthy durations,” Google stated.
Precisely how preliminary entry is obtained stays unclear, however like UNC5221, it is also recognized to focus on edge home equipment to interrupt into goal networks. An evaluation of the compromised VMware vCenter home equipment has additionally uncovered iptable instructions executed via the online shell to carry out the next set of actions –
- Monitor incoming visitors on port 443 for a particular HEX string
- Add the supply IP tackle of that visitors to a listing and if the IP tackle is on the listing and connects to port 10443, the connection is ACCEPTED
- Silently redirect subsequent visitors to port 443 to port 10443 for the subsequent 300 seconds (5 minutes) if the IP is on the authorised listing
Moreover, the menace actor has been discovered changing previous BRICKSTORM binaries with GRIMBOLT in September 2025. Whereas GRIMBOLT additionally offers a distant shell functionality and makes use of the identical command-and-control (C2) as BRICKSTORM, it isn’t recognized what prompted the shift to the harder-to-detect malware, and whether or not it was a deliberate transition or a response to public disclosures about BRICKSTORM.
“Nation-state menace actors proceed concentrating on techniques that do not generally help EDR options, which makes it very laborious for sufferer organizations to know they’re compromised and considerably prolongs intrusion dwell occasions,” Carmakal stated.
The disclosure comes as Dragos warned of assaults mounted by Chinese language teams like Volt Storm (aka Voltzite) to compromise Sierra Wi-fi Airlink gateways positioned in electrical and oil and gasoline sectors, adopted by pivoting to engineering workstations to dump config and alarm information.
The exercise, based on the cybersecurity firm, occurred in July 2025. The hacking crew is alleged to accumulate preliminary entry from Sylvanite, which quickly weaponizes edge system vulnerabilities earlier than patches are utilized and fingers off entry for deeper operational know-how (OT) intrusions.
“Voltzite moved past information exfiltration to direct manipulation of engineering workstations investigating what would set off processes to cease,” Dragos stated. ” This represents the elimination of the final sensible barrier between having entry and inflicting bodily penalties. Mobile gateways create unauthorized pathways into OT networks bypassing conventional safety controls.”
