Close Menu
    What's Hot

    Iran War Live Updates: U.S. and Iran Escalate Attacks, While Hinting at Diplomacy

    U.K. Nationalizes British Steel, Its Last Major Steel Mill

    RENK Group AG (RKGRY) Discusses Pre-Close Update and Strong Order Intake Driven by Defense Contracts Prepared Remarks Transcript

    Facebook X (Twitter) Instagram
    Trending
    • Iran War Live Updates: U.S. and Iran Escalate Attacks, While Hinting at Diplomacy
    • U.K. Nationalizes British Steel, Its Last Major Steel Mill
    • RENK Group AG (RKGRY) Discusses Pre-Close Update and Strong Order Intake Driven by Defense Contracts Prepared Remarks Transcript
    • Nations Championship: Ireland bring back big names for clash against New Zealand All Blacks at Eden Park | Rugby Union News
    • Mass Protests Across Ukraine Oppose Ouster of Defense Minister
    • Opinion | ICE Is Out of Control. Here’s What to Do About It.
    • The Army Veteran Killed Outside His ‘Trump House’
    • Sam Neill’s Cause of Death Was Pneumonia, Actor’s Agent Confirms
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024

    adminBy adminFebruary 19, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananFeb 18, 2026Zero-Day / Vulnerability

    Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024

    A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024, according to a new report from Google Mandiant and Google Threat Intelligence Group (GTIG).

    The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions prior to 6.0.3.1 HF1. Other products, including RecoverPoint Classic, are not vulnerable to the flaw.

    “This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence,” Dell said in a bulletin released Tuesday.

    The issue impacts the following products –

    • RecoverPoint for Virtual Machines Version 5.3 SP4 P1 – Migrate from RecoverPoint for Virtual Machines 5.3 SP4 P1 to 6.0 SP3, and then upgrade to 6.0.3.1 HF1
    • RecoverPoint for Virtual Machines Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 – Upgrade to 6.0.3.1 HF1
    • RecoverPoint for Virtual Machines Versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier – Upgrade to version 5.3 SP4 P1 or a 6.x version, and then apply the necessary remediation 

    “Dell recommends that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation,” it noted. “RecoverPoint for Virtual Machines is not intended for use on untrusted or public networks.”

    Cybersecurity

    Per Google, the hard-coded credential relates to an “admin” user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the “/manager/text/deploy” endpoint, and execute commands as root on the appliance to drop the BRICKSTORM backdoor and its newer version dubbed GRIMBOLT.

    “This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer,” Mandiant’s Charles Carmakal added.

    Google told The Hacker News that the activity has targeted organizations across North America, with GRIMBOLT incorporating features to better evade detection and minimize forensic traces on infected hosts. “GRIMBOLT is even better at blending in with the system’s own native files,” it added.

    UNC6201 is also assessed to share overlaps with UNC5221, another China-nexus espionage cluster known for its exploitation of virtualization technologies and Ivanti zero-day vulnerabilities to distribute web shells and malware families like BEEFLUSH, BRICKSTORM, and ZIPLINE.

    Despite the tactical similarities, the two clusters are assessed to be distinct at this stage. It’s worth noting that the use of BRICKSTORM has also been linked by CrowdStrike to a third China-aligned adversary tracked as Warp Panda in attacks aimed at U.S. entities.

    A noteworthy aspect of the latest set of attacks revolves around UNC6201’s reliance on temporary virtual network interfaces – referred to as “Ghost NICs” – to pivot from compromised virtual machines into internal or SaaS environments, and then delete those NICs to cover up the tracks in an effort to impede investigation efforts.

    “Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods,” Google said.

    Exactly how initial access is obtained remains unclear, but like UNC5221, it’s also known to target edge appliances to break into target networks. An analysis of the compromised VMware vCenter appliances has also uncovered iptable commands executed by means of the web shell to perform the following set of actions –

    • Monitor incoming traffic on port 443 for a specific HEX string
    • Add the source IP address of that traffic to a list and if the IP address is on the list and connects to port 10443, the connection is ACCEPTED
    • Silently redirect subsequent traffic to port 443 to port 10443 for the next 300 seconds (five minutes) if the IP is on the approved list

    Furthermore, the threat actor has been found replacing old BRICKSTORM binaries with GRIMBOLT in September 2025. While GRIMBOLT also provides a remote shell capability and uses the same command-and-control (C2) as BRICKSTORM, it’s not known what prompted the shift to the harder-to-detect malware, and whether it was a planned transition or a response to public disclosures about BRICKSTORM.

    Cybersecurity

    “Nation-state threat actors continue targeting systems that don’t commonly support EDR solutions, which makes it very hard for victim organizations to know they are compromised and significantly prolongs intrusion dwell times,” Carmakal said.

    The disclosure comes as Dragos warned of attacks mounted by Chinese groups like Volt Typhoon (aka Voltzite) to compromise Sierra Wireless Airlink gateways located in electric and oil and gas sectors, followed by pivoting to engineering workstations to dump config and alarm data.

    The activity, according to the cybersecurity company, took place in July 2025. The hacking crew is said to acquire initial access from Sylvanite, which rapidly weaponizes edge device vulnerabilities before patches are applied and hands off access for deeper operational technology (OT) intrusions.

    “Voltzite moved beyond data exfiltration to direct manipulation of engineering workstations investigating what would trigger processes to stop,” Dragos said. ” This represents the removal of the last practical barrier between having access and causing physical consequences. Cellular gateways create unauthorized pathways into OT networks bypassing traditional security controls.”

    CVE202622769 Dell Exploited Mid2024 RecoverPoint VMs zeroday
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleThe BOGO Apple! Major Sales on New York City Restaurants,…
    Next Article Mark Zuckerberg testifies in social media addiction trial that Meta just wants Instagram to be ‘useful’
    admin
    • Website

    Related Posts

    OpenAI’s GPT-Red Automates Prompt Injection Testing to Harden GPT-5.6 Sol

    July 16, 2026

    148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

    July 16, 2026

    Closing the Approval Gap in AI-Era Ad Tech

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Iran War Live Updates: U.S. and Iran Escalate Attacks, While Hinting at Diplomacy

    U.K. Nationalizes British Steel, Its Last Major Steel Mill

    RENK Group AG (RKGRY) Discusses Pre-Close Update and Strong Order Intake Driven by Defense Contracts Prepared Remarks Transcript

    Nations Championship: Ireland bring back big names for clash against New Zealand All Blacks at Eden Park | Rugby Union News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by