CISA Orders Feds to Patch Dell Flaw Within 3 Days

CISA is giving federal agencies just three days to patch a critical Dell vulnerability already exploited by Chinese state-sponsored hackers. The agency added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog on Wednesday, setting Saturday, February 21 as the remediation deadline.

TL;DR

• What happened: CISA mandated 3-day patching deadline for Dell RecoverPoint vulnerability
• Who's affected: Federal Civilian Executive Branch agencies using Dell RecoverPoint for VMs
• Severity: Critical (CVSS 10.0)—hardcoded credentials allow root access
• Action required: Upgrade to version 6.0.3.1 HF1 or discontinue use by February 21

Why the Rush?

The compressed timeline reflects the severity of confirmed exploitation. We covered the full technical details of this campaign yesterday, but the short version: Chinese threat actor UNC6201 has been exploiting this vulnerability since mid-2024—roughly 18 months before disclosure.

Nick Andersen, CISA executive assistant director, didn't mince words in the agency's announcement: "Hard-coded credentials remain a critical risk, and CISA urges all organizations to take decisive steps now to mitigate exposure and prevent compromise."

The flaw affects Dell RecoverPoint for Virtual Machines, a product used for VMware backup and disaster recovery. CVE-2026-22769 earned a perfect CVSS score of 10.0 because it requires no authentication—attackers who know the hardcoded credentials get immediate root-level access.

Federal Mandate Under BOD 22-01

The three-day deadline stems from Binding Operational Directive 22-01, which requires Federal Civilian Executive Branch agencies to remediate vulnerabilities in CISA's KEV catalog by specified due dates. The directive treats confirmed exploitation as automatic escalation.

CISA's Wednesday alert added two vulnerabilities to the catalog:

• CVE-2026-22769: Dell RecoverPoint hardcoded credentials (due Feb 21)
• CVE-2021-22175: GitLab SSRF vulnerability

Agencies that can't patch must either apply Dell's mitigation script or discontinue use of the product entirely.

Why Backup Systems Matter

Security experts noted that targeting backup and disaster recovery platforms represents sophisticated threat actor tradecraft.

Shane Barney from Keeper Security observed that compromising these systems can undermine an organization's ability to recover from attacks. Mayuresh Dani from Qualys added that the attackers clearly understand "modern VMware DR architectures and know how to live in them quietly."

This isn't theoretical—Google Mandiant's research showed UNC6201 pivoting from Dell RecoverPoint into VMware environments, creating hidden "Ghost NICs" on ESXi servers for stealthy lateral movement. That progression from backup appliance to virtualization infrastructure is exactly the kind of deep access that made the BRICKSTORM backdoor so concerning to CISA last year.

What Organizations Should Do

Mandiant CTO Charles Carmakal urged immediate action: "Any organization using Dell RecoverPoint for Virtual Machines should immediately apply the recommendations provided by Dell."

For non-federal organizations, CISA's deadline doesn't apply directly—but the underlying threat does. The recommended steps:

1. Upgrade to version 6.0.3.1 HF1, which removes the hardcoded credentials
2. For older version 5.3 deployments, follow Dell's migration guidance
3. Hunt for compromise indicators including SLAYSTYLE, BRICKSTORM, and GRIMBOLT malware
4. Check VMware infrastructure for unexpected network interfaces or iptables rules

Mandiant is aware of "less than a dozen" directly compromised organizations, but warned that figure likely undercounts actual impact given the 18-month exploitation window.

The Bigger Picture

This marks another instance of CISA responding to edge device exploitation that the agency has increasingly prioritized. Network appliances and infrastructure products often lack the monitoring coverage that endpoints receive, making them attractive targets for persistent access.

Dell acknowledged receiving reports of "limited active exploitation" and directed customers to their security advisory for remediation guidance. The company hasn't commented on how long the hardcoded credentials existed in the product before discovery.

For federal agencies, Saturday's deadline is firm. For everyone else, treat it as a strong signal that patching today beats investigating a breach tomorrow.