Dell Zero-Day Exploited by Chinese Hackers Since 2024

A Chinese cyberespionage group quietly exploited a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines for at least 18 months before researchers discovered the campaign. Google's Mandiant and Threat Intelligence Group disclosed Tuesday that attackers had root-level access to victim systems since mid-2024 using nothing more than a hardcoded password.

TL;DR

• What happened: Chinese threat actor UNC6201 exploited CVE-2026-22769 to deploy backdoors on Dell RecoverPoint appliances since mid-2024
• Who's affected: Organizations using Dell RecoverPoint for Virtual Machines prior to version 6.0.3.1 HF1
• Severity: Critical (CVSS 10.0)—unauthenticated remote code execution with root persistence
• Action required: Upgrade to version 6.0.3.1 HF1 or apply Dell's remediation script immediately

What Makes This Attack So Concerning

The vulnerability itself is almost embarrassingly simple: Dell's RecoverPoint for Virtual Machines shipped with hardcoded default credentials in its Apache Tomcat configuration. Anyone who knew those credentials—and now everyone does—could authenticate to the Tomcat Manager interface and deploy malicious code.

CVE-2026-22769 carries a maximum CVSS score of 10.0. Dell's advisory describes the impact: an unauthenticated attacker "could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence."

For UNC6201, the hardcoded credentials were the front door. Once inside, they deployed a malicious WAR file containing a web shell called SLAYSTYLE that gave them persistent root command execution.

Who Is UNC6201?

Mandiant tracks the threat actor as UNC6201, a suspected PRC-nexus cluster with "notable overlaps" with UNC5221—better known as Silk Typhoon. That connection matters because Silk Typhoon was behind the December 2025 Treasury Department breach and has shown a pattern of targeting IT infrastructure to reach downstream victims.

UNC6201 shares operational infrastructure and tooling with these earlier campaigns. Most notably, both groups deploy BRICKSTORM, a sophisticated backdoor that CISA warned about in a joint advisory last year. The agencies attributed BRICKSTORM to PRC state-sponsored actors targeting government and IT sectors.

The Attack Chain

After gaining initial access through the hardcoded credentials, UNC6201 followed a methodical playbook:

Initial foothold: Attackers authenticated to the Tomcat Manager and uploaded a malicious WAR file containing the SLAYSTYLE web shell. This gave them root-level command execution on the Dell appliance.

Persistence: They modified legitimate startup scripts to ensure automatic execution after reboot, then deployed BRICKSTORM for command-and-control communication.

Malware evolution: In September 2025, the group began replacing BRICKSTORM with a new backdoor called GRIMBOLT. Written in C# and compiled using Native AOT compilation (then packed with UPX), GRIMBOLT offers the same remote shell capability but proved harder for defenders to analyze and detect.

Lateral movement: Here's where things got creative. The attackers pivoted into VMware environments and created "Ghost NICs"—hidden virtual network interfaces on ESXi servers that let them move laterally without triggering network monitoring.

They also deployed iptables-based Single Packet Authorization on vCenter appliances. This technique lets attackers send a specially crafted packet to "unlock" access to the compromised system—traffic that doesn't match the authorization signature gets dropped silently.

Known Victims and Scope

Mandiant knows of "less than a dozen" organizations directly compromised through CVE-2026-22769. However, the broader BRICKSTORM campaign has hit dozens of US organizations, according to Austin Larsen from Google Threat Intelligence Group.

"The actor is likely still active in unpatched environments," Larsen noted, adding that attackers had "significant time to establish persistence and carry out long-term espionage."

That 18-month head start is the real story here. Organizations that haven't patched need to assume compromise and look for GRIMBOLT indicators—not just the older BRICKSTORM samples from earlier government advisories.

CISA Adds to KEV Catalog

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog on February 18, setting a remediation deadline for federal agencies. The KEV listing confirms active exploitation and requires civilian executive branch agencies to patch within a defined timeframe.

Dell acknowledged receiving "a report of limited active exploitation" and urged customers to follow the guidance in their security advisory.

What to Do Now

Organizations running Dell RecoverPoint for Virtual Machines should:

1. Upgrade immediately to version 6.0.3.1 HF1, which removes the hardcoded credentials
2. For version 5.3 deployments, follow Dell's migration or upgrade paths detailed in the advisory
3. Hunt for indicators: Search for SLAYSTYLE, BRICKSTORM, and GRIMBOLT artifacts in your environment
4. Check VMware infrastructure: Look for unexpected Ghost NICs on ESXi hosts and unusual iptables rules on vCenter appliances
5. Review network logs: Single Packet Authorization leaves minimal traces, but authentication to Tomcat Manager from unexpected sources should trigger investigation

The combination of maximum severity, trivial exploitation, and confirmed state-sponsored compromise makes this one of the more serious advisories we've seen this month. Organizations that delayed patching enterprise infrastructure vulnerabilities like the Chrome zero-day disclosed yesterday should treat this Dell flaw with similar urgency.

Why This Matters

This campaign illustrates the ongoing threat from Chinese cyberespionage groups targeting enterprise infrastructure. The choice of a backup and disaster recovery product isn't random—these systems often sit at the intersection of critical data flows and have elevated privileges across virtualized environments.

The shift from BRICKSTORM to GRIMBOLT also signals operational security awareness. When defenders publish IOCs for one malware family, sophisticated actors adapt rather than continue using burned tooling. Organizations should expect continued evolution from this cluster.

For deeper context on Chinese cyber operations and the strategic motivations behind campaigns like this, our recommended cybersecurity books include detailed analysis of state-sponsored hacking groups and their tactics.