Dell RecoverPoint for Virtual Machines Zero Day Attack

Byadmblake February 19, 2026

What is the Attack? The attack involves the threat cluster UNC6201 (a suspected China-nexus Advanced Persistent Threat (APT)) actively exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines platform. The flaw (CVE-2026-22769) stems from hard-coded credentials embedded within the appliance, allowing unauthenticated remote attackers to gain administrative access. Because RecoverPoint is a disaster…

What is the Attack?

The attack involves the threat cluster UNC6201 (a suspected China-nexus Advanced Persistent Threat (APT)) actively exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines platform. The flaw (CVE-2026-22769) stems from hard-coded credentials embedded within the appliance, allowing unauthenticated remote attackers to gain administrative access. Because RecoverPoint is a disaster recovery and backup solution, successful exploitation gives attackers high-value access to core infrastructure systems that often sit deep inside enterprise networks.

Once access is obtained, the attackers deploy web shells and custom backdoors to establish persistent control. According to reporting from Google Threat Intelligence Group, the campaign evolved from earlier BRICKSTORM malware to a newer backdoor called GRIMBOLT, indicating ongoing development and operational maturity.

Because it is actively exploited in the wild and affects critical enterprise infrastructure, it represents a significant operational risk for organizations running vulnerable versions of RecoverPoint.

What is the recommended Mitigation?

• Immediately upgrade vulnerable instances of Dell RecoverPoint for Virtual Machines to the fixed release. Dell has released remediations for CVE-2026-22769, and customers are urged to follow the guidance in the official Security Advisory.

DSA-2026-079: Security Update for RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability | Dell US

• Restrict the network exposure of RecoverPoint appliances. Ensure the management interface is not internet-facing.

• Conduct post-exploitation validation and threat hunting. Review appliance logs for unusual authentication activity.

What FortiGuard Coverage is available?

• FortiGuard Labs is actively monitoring exploitation activity associated with the UNC6201 campaign targeting Dell RecoverPoint for VM. The team continues to track evolving attacker infrastructure, tooling, and tactics, and will provide ongoing intelligence updates, newly identified indicators, and protection guidance as the situation develops.

• FortiGuard Antivirus & Behavior Detection protects against known malware families associated with this activity and leverages advanced behavioral analysis to detect and block previously unseen variants, including web shells and custom backdoors deployed post-exploitation.

• Indicators of Compromise (IOC) Service: FortiGuard Labs has implemented protections to block all currently known malicious indicators linked to this campaign. Continuous monitoring ensures the rapid addition of newly discovered hashes, domains, IP addresses, and behavioral artifacts.

• FortiGuard Incident Response: Organizations that suspect compromise can engage the FortiGuard Incident Response team for rapid investigation, containment, forensic analysis, and remediation support to minimize operational and security impact.

Blog

Czech Warning Highlights China Stealing User Data

Czech cyber agency NÚKIB warned of the risks of using products and software that send data back to China.

Read More Czech Warning Highlights China Stealing User Data
Blog

Navigating Regulatory Shifts & AI Risks

By proactively embracing emerging trends around encryption, AI security, and platform consolidation, organizations can turn compliance burdens into competitive advantage.

Read More Navigating Regulatory Shifts & AI Risks
Blog

The Hidden Threat in Your Stack: Why Non-Human Identity Management is the Next Cybersecurity Frontier

Modern enterprise networks are highly complex environments that rely on hundreds of apps and infrastructure services. These systems need to interact securely and efficiently without constant human oversight, which is where non-human identities (NHIs) come in. NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks…

Read More The Hidden Threat in Your Stack: Why Non-Human Identity Management is the Next Cybersecurity Frontier
Blog

Ex-Employee Found Guilty in Revenge Kill-Switch Scheme

Clandestine kill switch was designed to lock out other users if the developer’s account in the company’s Windows Active Directory was ever disabled.

Read More Ex-Employee Found Guilty in Revenge Kill-Switch Scheme
Blog

Oracle Still Denies Breach as Researchers Persist

Evidence suggests an attacker gained access to the company’s cloud infrastructure environment, but Oracle insists that didn’t happen.

Read More Oracle Still Denies Breach as Researchers Persist
Blog

Cybercriminals Use Fake Apps to Steal Data and Blackmail Users Across Asia’s Mobile Networks

Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that’s targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data. The cross-platform threat has been codenamed SarangTrap by Zimperium zLabs. Users in South Korea appear to be the primary focus. “This extensive campaign…

Read More Cybercriminals Use Fake Apps to Steal Data and Blackmail Users Across Asia’s Mobile Networks

Related