EXECUTIVE SUMMARY
China-linked threat actors (UNC6201) have been exploiting a critical Dell RecoverPoint for Virtual Machines zero-day (CVE-2026-22769) since mid-2024. The vulnerability involves hardcoded credentials that enable unauthenticated root-level access and the deployment of persistent backdoors. Attackers transitioned from the Brickstorm malware to the more advanced Grimbolt implant and used hidden VMware ESXi “Ghost NICs” for stealthy lateral movement. The campaign targets organizations using VMware environments across sectors such as legal, technology, and manufacturing, with the full extent of impact still under investigation.
- CVE: CVE-2026-22769
- CVSS: 10.0
- Active Region: Global
- Affected Sector: Critical infrastructure, legal, technology, manufacturing, and enterprises operating VMware environments
- Affected Product: Dell RecoverPoint for Virtual Machines
- Severity: Critical
- Published Date: February 17, 2026
TECHNICAL DETAILS
- Target: Dell RecoverPoint for Virtual Machines appliances deployed in VMware environments, particularly infrastructure appliances that often lack traditional endpoint detection and response (EDR) visibility.
- Root Cause: A hardcoded credential vulnerability (CVE-2026-22769) that allows an unauthenticated remote attacker with knowledge of the credential to gain unauthorized access and achieve root-level persistence on the underlying operating system.
- Prerequisite For Exploitation: Attackers require network-level access to the vulnerable……
