Mandiant

**Name of the Vulnerable Software and Affected Versions** Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 **Description** Dell RecoverPoint for Virtual Machines contains a critical vulnerability (CVE-2026-22769) due to hardcoded credentials. This allows unauthenticated remote attackers to gain root-level access to the underlying operating system and potentially compromise VMware backup and disaster recovery infrastructure. The vulnerability has been actively exploited since mid-2024 by a China-linked threat actor (UNC6201, also associated with Silk Typhoon). Attackers have used this access to deploy malware, including SLAYSTYLE, BRICKSTORM, and GRIMBOLT, and to move laterally within compromised networks. The exploitation involves accessing the Tomcat Manager interface with hardcoded credentials and deploying malicious web applications. The threat actors have also employed techniques like "Ghost NICs" to evade detection. CISA has ordered federal agencies to patch this vulnerability within three days. **Recommendations** Upgrade Dell RecoverPoint for Virtual Machines to version 6.0.3.1 HF1 or later. Apply the remediations provided by Dell. Hunt for indicators of compromise related to the malware families (SLAYSTYLE, BRICKSTORM, GRIMBOLT) and malicious activity within Tomcat Manager logs. Restrict access to the Tomcat Manager interface.