Zero-day in Dell RecoverPoint for Virtual Machines Actively Exploited (CVE-2026-22769)

  • Insight

A zero‑day affecting Dell RecoverPoint for Virtual Machines, a product used for managing backup and disaster recovery for VMware virtual machines has been identified and exploited in active attacks. According to Google GTIG[1], the vulnerability, tracked as CVE‑2026‑22769, has been used by the China-linked threat actor UNC6201 in targeted intrusions.

According to Google GTIG[1], the zero‑day allows attackers to achieve root‑level access on affected systems.

UNC6201 has weaponized the vulnerability to deploy custom backdoors, including GRIMBOLT and BRICKSTORM, enabling persistence and further compromise inside targeted environments. The attackers are leveraging the flaw as part of a broader intrusion campaign involving VMware backup and recovery infrastructure.

CVE

CVE-2026-22769

Affected Products

Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1[2].

Exploitation

The vulnerability is being exploited and activity has been observed since mid‑2024[1].

Threat Actor

UNC6201

Recommended Actions

Truesec recommends applying a newly released security patch per vendor instruction to upgrade to version 6.0.3.1 HF1, patch can be found here:

https://www.dell.com/support/product-details/product/recoverpoint-for-virtual-machines/drivers

If you are not able to patch the system right now, there is a remediation script available here:

https://www.dell.com/support/kbdoc/en-us/000426742

Detection

GRIMBOLT
24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591

SLAYSTYLE
92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a

BRICKSTORM
aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830

Network Indicators
149.248.11.71

References

[1] https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-22769

Stay ahead with cyber insights

Newsletter

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.