DELL RecoverPoint for Virtual Machines has a zero-day vulnerability, tracked as CVE-2026-22769, that a China-linked cyberespionage group has been exploiting since at least 2024, according to GTIG and Mandiant. The threat actor, tracked as UNC6201, is said to have used the flaw for lateral movement, persistence and malware deployment.
Dell RecoverPoint for Virtual Machines, which provides resilience and disaster recovery for VMware VMs, is affected by a hardcoded credential issue in versions prior to 6.0.3[.]1 HF1; according to Dell’s advisory for CVE-2026-22769, users should update to the patched version as soon as possible. The attacks involved GrimBolt and BrickStorm malware, and a web shell named SlayStyle was deployed alongside, with Google researchers noting UNC6201’s use of ghost NICs on virtual machines to hinder investigation.
Mandiant’s Charles Carmakal commented that nation-state actors target systems that do not commonly support EDR solutions, prolonging intrusion dwell times. GTIG and Mandiant have published IoCs to help defenders detect potential activity.