CISA ordered federal agencies to patch a maximum-severity hardcoded-credential vulnerability in Dell RecoverPoint (CVE-2026-22769) within three days after researchers found it has been actively exploited since mid-2024. Security firms attribute the exploitation to suspected Chinese threat cluster UNC6201, which has used the flaw for lateral movement and to deploy payloads including SLAYSTYLE, BRICKSTORM, and a new hard-to-analyze backdoor named GRIMBOLT. #UNC6201 #GRIMBOLT
Keypoints
- CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and mandated FCEB agencies remediate it by Feb 21 under BOD 22-01.
- Mandiant and Google TAG reported the Dell RecoverPoint hardcoded-credential flaw has been exploited since at least mid-2024.
- Suspected PRC-linked cluster UNC6201 leverages the vulnerability to move laterally, maintain persistence, and deploy multiple malware families.
- GRIMBOLT is a newly identified backdoor that uses a novel compilation technique, making analysis harder and replacing BRICKSTORM in Sept 2025.
- Researchers observed overlaps between UNC6201 and Silk Typhoon (UNC5221), a group previously tied to breaches of multiple U.S. government agencies.