DELL RecoverPoint for Virtual Machines has been exploited as a zero-day vulnerability, CVE-2026-22769, with activity reported since mid-2024 and a maximum CVSS score of 10.0, affecting versions prior to 6.0.3[.]1 HF1. According to Google Mandiant and Google Threat Intelligence Group (GTIG), a suspected China-nexus threat cluster dubbed UNC6201 is responsible for the campaigns, which also involve the GRIMBOLT backdoor and the BRICKSTORM family, with later transitions to GRIMBOLT noted.
Dell’s bulletin states that the flaw involves hard-coded credentials and unauthenticated remote access that could lead to root-level persistence, and it cautions that RecoverPoint for Virtual Machines is not intended for untrusted or public networks. The advisory lists upgrade pathways, including migrating from older 5.3 SP4 P1 or 5.3 SP4 to 6.0 SP3 and applying 6.0.3[.]1 HF1, and notes other products like RecoverPoint for Virtual Machines versions 6.0 and 5.3 SP4 should be upgraded before remediation.
Google also described techniques such as creating “Ghost NICs” to pivot within networks and erase traces, with GRIMBOLT incorporating features to evade detection.