A China-related attacker has exploited a Dell hard-coded credential vulnerability in RecoverPoint for Virtual Machines, with activity observed since mid-2024 to move laterally, maintain persistent access, and deploy malware. According to Google Cloud’s Mandiant, CVE-2026-22769 is a CVSS 10 flaw in Dell RecoverPoint for Virtual Machines, and UNC6201 has allegedly used it to deploy Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt.
Grimbolt is notable because it is a C# backdoor compiled using native ahead-of-time compilation, making it harder to reverse engineer, according to the researchers. The campaign also involved accessing Dell appliances via hard-coded admin credentials in the Tomcat Manager, enabling the threat actor to upload a malicious WAR file and execute commands as root on the appliance.
Dell’s advisory warns that an unauthenticated remote attacker could exploit the vulnerability to gain unauthorized OS access and root-level persistence, and it recommends upgrading to RecoverPoint for Virtual Machines 6.0.3[.]1 HF1 or following the remediation script. A Dell spokesperson confirmed limited active exploitation, though no additional details were provided.