A Chinese hacking group has been exploiting an unprecedented bug in Dell RecoverPoint for VMs since mid-2024.
Security researchers have identified active exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines. Attackers are using the flaw, registered as CVE-2026-22769, to gain unauthorized access to backup environments and move further into the network from there.
Dell has since published security updates for the critical bug, which has a perfect CVSS score of 10. Installing these updates should be an absolute priority, as hackers are actively exploiting the flaw.
According to researchers from Mandiant and Google Threat Intelligence, the vulnerability has been exploited since mid-2024 by a Chinese group they identify as UNC6201. The flaw is located in a management component of Dell RecoverPoint and allows malicious files to be uploaded using default credentials. This enables attackers to execute commands with elevated system privileges.
Broad access
Organizations using Dell RecoverPoint for Virtual Machines are at risk. This product is used for data protection in VMware environments. When an attacker compromises the solution, they potentially gain access to virtual machines and the underlying infrastructure.
The group installs backdoors such as Brickstorm and a more recent variant, Grimbolt. These allow attackers to maintain long-term access. They also modify system scripts so that the malware starts automatically after a reboot. In several cases, the attackers then moved into VMware environments, where they created additional network access to move laterally undetected.
Targets
Companies with an on-premises VMware environment and Dell RecoverPoint are vulnerable, especially if management interfaces are directly or indirectly accessible via the network. Organizations that expose edge devices (such as VPN concentrators) are also potential targets.
Security teams are advised to verify whether the security updates have been deployed. Additionally, it is recommended to check RecoverPoint log files for suspicious management actions and unusual file uploads. Because the solution plays a central role in data protection, a breach can have a major impact on the availability and confidentiality of corporate data.