A critical zero-day, CVE-2026-22769, is being actively exploited in Dell RecoverPoint for Virtual Machines to enable unauthenticated attackers to gain root-level persistence via hardcoded Apache Tomcat credentials. Mandiant and GTIG attribute the campaign to Chinese cluster UNC6201, which has deployed SLAYSTYLE web shells and transitioned from BRICKSTORM to the AOT-compiled backdoor GRIMBOLT while pivoting into VMware environments. #CVE-2026-22769 #UNC6201 #DellRecoverPoint #GRIMBOLT #SLAYSTYLE #BRICKSTORM
Keypoints
- CVE-2026-22769 allows unauthenticated root-level access in Dell RecoverPoint via hardcoded Tomcat credentials.
- Mandiant and GTIG observed UNC6201 exploiting the flaw since at least mid-2024.
- Attackers used the Tomcat Manager deploy endpoint to upload WAR files and install the SLAYSTYLE web shell.
- The threat actor replaced BRICKSTORM with an AOT-compiled backdoor, GRIMBOLT, to evade analysis and improve performance.
- Compromised environments showed VMware pivots using Ghost NICs and SPA-based port redirection for covert access.
Read More: https://thecyberexpress.com/cve-2026-22769-dell-recoverpoint/