Blog

UNC6201 Exploits Dell RecoverPoint Zero-Day: What Security Teams Need to Know

RecoverPoint

What Security Teams Need to Know

In a significant and ongoing cyber-espionage campaign, a sophisticated threat actor has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The vulnerability — tracked as CVE-2026-22769 and carrying a CVSSv3.1 score of 10.0 (Critical) — has enabled remote unauthenticated access, root-level persistence, lateral movement, and deployment of custom malware across compromised enterprise environments.

This post breaks down the technical details, adversary activity, enterprise impact, and immediate defensive actions organizations should take.

What Is CVE-2026-22769?

CVE-2026-22769 is a critical vulnerability in Dell RecoverPoint for Virtual Machines (RP4VM) versions prior to 6.0.3.1 HF1. The root cause is the presence of hard-coded credentials within the appliance’s Apache Tomcat Manager configuration. An attacker with knowledge of these credentials can authenticate remotely without valid user input, effectively bypassing standard authentication controls.

Successful exploitation enables:

  • Unauthenticated remote access

  • Root-level command execution

  • Installation of arbitrary code

  • Creation of privileged accounts

  • Full compromise of VMware recovery infrastructure

Given the central role RecoverPoint plays in backup and replication, this vulnerability represents a high-impact enterprise risk.

Threat Actor Overview: UNC6201

The activity has been attributed to UNC6201, a suspected China-nexus cyber espionage actor. Research indicates active exploitation dating back to mid-2024, well before public disclosure of the vulnerability.

UNC6201 has leveraged the flaw to:

  • Compromise Dell RecoverPoint appliances

  • Deploy web shells and backdoors

  • Establish persistent access

  • Pivot laterally into VMware infrastructure

The duration of exploitation demonstrates both operational maturity and strategic targeting of backup infrastructure as a high-value entry point.

Malware and Tradecraft Observed

Initial Access via Web Shell

Attackers leveraged the Tomcat Manager interface to deploy a web shell (SLAYSTYLE), enabling immediate remote command execution.

Persistence with BRICKSTORM

Early campaigns used BRICKSTORM, a backdoor providing covert command and control functionality.

Evolution to GRIMBOLT

Later activity introduced GRIMBOLT, a C#-based backdoor compiled ahead-of-time (AOT) to evade static analysis and operate efficiently within appliance environments. This marks a clear evolution in sophistication.

Lateral Movement and Stealth Techniques

UNC6201 demonstrated advanced techniques to evade detection and move within compromised environments:

  • Temporary “ghost” network interfaces created on ESXi hosts to bypass monitoring

  • iptables-based Single Packet Authorization (SPA) to selectively expose services

  • Targeting of backup and replication infrastructure to maintain long-term persistence

These techniques highlight the adversary’s understanding of virtualized enterprise networks and defensive blind spots.

Enterprise Impact

Compromise of backup infrastructure introduces cascading risk:

  • Disaster recovery pathways become untrusted

  • Backup data integrity may be compromised

  • VMware environments become pivot points

  • Increased likelihood of secondary ransomware or extortion activity

CISA has added CVE-2026-22769 to the Known Exploited Vulnerabilities (KEV) Catalog, underscoring confirmed real-world exploitation.

Required Defensive Actions

Organizations operating Dell RecoverPoint should take immediate action:

  1. Patch immediately to version 6.0.3.1 HF1 or later.

  2. Isolate management interfaces from general network access.

  3. Review authentication logs for anomalous Tomcat Manager access.

  4. Inspect appliances for unauthorized deployments to /manager/text/deploy.

  5. Hunt for unusual ESXi network interfaces or unauthorized root-level changes.

  6. Ensure EDR and centralized logging coverage extends to backup appliances.

Backup infrastructure must be treated as production-critical security assets, not secondary systems.

Strategic Takeaway

This campaign reinforces a hard truth: backup and disaster recovery systems are now prime targets for advanced threat actors. These systems often sit at the intersection of trust, replication, and privileged access — making them attractive footholds for espionage and long-term persistence.

Organizations must reevaluate how backup infrastructure is segmented, monitored, and hardened. The assumption that internal appliances are inherently secure is no longer defensible.

If your organization operates VMware environments or Dell RecoverPoint infrastructure and would like assistance validating exposure, conducting threat hunting, or strengthening your defensive posture, Critical Path Security is prepared to help.