The U.S. Cybersecurity and Infrastructure Safety Company (CISA) ordered authorities companies to patch their techniques inside three days in opposition to a maximum-severity Dell vulnerability that has been below energetic exploitation since mid-2024.
In line with safety researchers from Mandiant and the Google Risk Intelligence Group (GTIG), this hardcoded-credential vulnerability (CVE-2026-22769) in Dell’s RecoverPoint (an answer used for VMware digital machine backup and restoration) is being exploited by a suspected Chinese language hacking group tracked as UNC6201.
After getting access to a sufferer’s community in CVE-2026-22769 assaults, UNC6201 deploys a number of malware payloads, together with a newly recognized backdoor referred to as Grimbolt. This malware is constructed utilizing a comparatively new compilation approach that makes it more durable to investigate than its predecessor, the Brickstorm backdoor.
Whereas the group swapped Brickstorm for Grimbolt in September 2025, it isn’t but clear whether or not this swap was a part of a deliberate improve or “a response to incident response efforts led by Mandiant and different trade companions.”
“Evaluation of incident response engagements revealed that UNC6201, a suspected PRC-nexus risk cluster, has exploited this flaw since not less than mid-2024 to maneuver laterally, keep persistent entry, and deploy malware together with SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT,” they mentioned.
The safety researchers have additionally discovered overlaps between UNC6201 and the Silk Storm Chinese language state-backed cyberespionage group (though the 2 usually are not thought-about equivalent by GTIG), additionally tracked as UNC5221 and recognized for exploiting Ivanti zero-days to goal authorities companies with customized Spawnant and Zipline malware.
Silk Storm has beforehand breached the techniques of a number of U.S. authorities companies, together with the U.S. Treasury Division, the Workplace of Overseas Belongings Management (OFAC), and the Committee on Overseas Funding in the USA (CFIUS).
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now added the safety flaw to its Recognized Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Government Department (FCEB) companies to safe their networks by the tip of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
“A lot of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA warned on Wednesday.
“Apply mitigations per vendor directions, observe relevant BOD 22-01 steering for cloud companies, or discontinue use of the product if mitigations are unavailable.”
Final week, CISA additionally gave U.S. federal companies three days to safe their BeyondTrust Distant Help situations in opposition to an actively exploited distant code execution vulnerability (CVE-2026-1731).
Hacktron, which reported the vulnerability on January 31, warned in early February that round 11,000 BeyondTrust Distant Help situations have been uncovered on-line, and that round 8,500 have been on-premises deployments that required handbook patching.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your group can scale back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on high of instruments you already use.
