Dell RecoverPoint Zero-Day Vulnerability Exploited by UNC6201 Threat Actor
A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been abused by the China-linked group UNC6201, enabling them to deploy backdoors into enterprise systems. This flaw, identified as CVE-2026-22769, stems from hard-coded credentials in Apache Tomcat, allowing attackers to execute malicious web applications.
The attack process begins with UNC6201 exploiting the hard-coded credentials to access the Tomcat Manager interface. This led to the deployment of multiple malware families, including the SLAYSTYLE web shell for remote command execution, the BRICKSTORM backdoor for persistent access, and the GRIMBOLT backdoor for long-term stealthy control. Attackers achieved persistence by modifying system scripts, ensuring their malware would run during normal operations, and utilized covert channels for network communication.
UNC6201 specifically targets infrastructure related to backup and disaster recovery, making them a significant threat to organizations using Dell RecoverPoint. The exploitation of this vulnerability not only gives attackers access to sensitive infrastructure but also allows them to carry out espionage practices without detection.
This situation underscores the real risks associated with vulnerabilities like CVE-2026-22769, especially for defenders who must now contend with the potential for prolonged attacker access to critical systems. Organizations should prioritize patching affected software versions and regularly review configurations to mitigate this threat.
Defensive mechanisms such as threat intelligence, Security Information and Event Management (SIEM) solutions, and rigorous monitoring of network traffic can help organizations detect anomalies and create alerts for suspicious activities related to the identified malware families.
Indicators of Compromise (IOCs):
- Command and Control IP: 149.248.11.71
- WebSocket URL: wss://149.248.11.71/rest/apisession
- Malware:
- GRIMBOLT: SHA-256 hashes – 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
- SLAYSTYLE: SHA-256 hash – 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
- BRICKSTORM: Multiple hashes identified.
- Suspicious file paths and commands related to the exploit can also serve as indicators for defenders to monitor and review.
