Active Exploitation of Dell RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability CVE-2026-22769
BLUF
CVE-2026-22769 is a critical hardcoded credential vulnerability affecting Dell RecoverPoint for Virtual Machines prior to version 6.0.3.1 HF1. The flaw allows unauthenticated remote attackers to gain unauthorized operating system access and establish root-level persistence. Dell confirms limited active exploitation in the wild. Public reporting attributes exploitation activity to a China-nexus threat cluster tracked as UNC6201, which deployed web shells and custom backdoors in affected VMware-aligned environments.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by active exploitation of Dell RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability CVE-2026-22769, financial impact is primarily driven by infrastructure rebuild, forensic validation, and resilience assurance costs rather than immediate revenue collapse.
· Low-end total cost: $450,000 $900,000
o Contained exploitation, no lateral movement beyond appliance layer
· Typical expected range: $900,000 $2.2 million
o Credential abuse confirmed with broader VMware validation and audit remediation
· Upper-bound realistic scenarios: $2.2 million $5.5 million
o Pivot into ESXi, prolonged investigation, regulatory and contractual reporting impact
Key Cost Drivers
· Scope of lateral movement beyond RecoverPoint appliance
· Extent of credential rotation across enterprise identity systems
· Duration of DR capability suspension during rebuild
· Regulatory reporting triggers tied to privileged access exposure
· Insurance deductible structure and renewal premium adjustments
Bottom Line for Executives
This vulnerability targets a control-plane technology that underpins disaster recovery operations. The primary financial risk lies not in immediate operational collapse, but in the cascading costs of investigation, assurance, and infrastructure trust restoration.
Prompt patching, credential rotation, and segmented access validation significantly compress the cost curve and reduce the likelihood of escalation into the multi-million-dollar range.
Priority Level and Response Window
· Critical.
o Immediate remediation required for internet-exposed or broadly reachable management networks.
o All other deployments should be remediated within seventy-two hours.
Exploit Conditions Snapshot
· Network accessible service
· No authentication required
· No user interaction required
· Hardcoded credential enables OS-level access
· Root persistence achievable post exploitation
Today’s Hunt Focus (3 signals)
· Unusual Tomcat Manager access from non-administrative IP ranges
· WAR deployment activity followed by JSP artifact creation
· Outbound connections to 149.248.11.71 and associated endpoint paths
Potential Affected Sectors
· Organizations operating VMware environments using RecoverPoint for Virtual Machines including:
o Managed service providers
o SaaS providers
o Legal services
o Large enterprise IT estates.
Potential Impacted Countries
· Global
Date of First Reported Activity
· Observed exploitation activity reported as early as mid-2024 in threat intelligence reporting.
Date of Last Reported Activity Update
· February 17, 2026
Why This Matters to Defenders
RecoverPoint appliances operate within disaster recovery and replication layers of VMware environments. Compromise provides:
· Root access to infrastructure appliance
· Persistent foothold in virtualization management plane
· Reduced visibility compared to traditional endpoints
· Potential pivot into broader enterprise infrastructure
Associated APT Groups
· UNC6201 (China-nexus, per Google Threat Intelligence reporting)
Associated Criminal Organizations
· Not applicable at this time.
Threat Actor Context
· Stealth-focused intrusion cluster leveraging edge infrastructure vulnerabilities for long dwell time access and pivoting into VMware ecosystems.
Primary Objectives
· Persistent espionage-oriented access within enterprise virtualization environments.
Tools Used in Campaign
· GRIMBOLT backdoor
· BRICKSTORM backdoor
· SLAYSTYLE web shell
Exposure Assessment Tool
· Not known at this time.
Indicators of Compromise (IOCs)
High Confidence
High Confidence (0.90 1.00)
These indicators were directly published by Google Threat Intelligence Group as confirmed campaign artifacts.
Network Infrastructure
149.248.11.71
· Confidence Score: 0.98
· Explanation: Confirmed GRIMBOLT command and control IP published in GTIG reporting.
wss://149.248.11.71/rest/apisession
· Confidence Score: 0.97
· Explanation: Specific GRIMBOLT websocket endpoint path documented in observed exploitation.
SHA256 Artifact Hashes
24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
· Confidence Score: 0.96
· Explanation: GRIMBOLT backdoor artifact confirmed in campaign reporting.
dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591
· Confidence Score: 0.96
· Explanation: GRIMBOLT campaign artifact hash published by GTIG.
92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
· Confidence Score: 0.95
· Explanation: SLAYSTYLE web shell artifact hash tied to exploitation workflow.
aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
· Confidence Score: 0.95
· Explanation: BRICKSTORM backdoor artifact identified in campaign reporting.
2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df
· Confidence Score: 0.95
· Explanation: Published BRICKSTORM artifact hash.
320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
· Confidence Score: 0.95
· Explanation: Additional BRICKSTORM campaign artifact hash.
90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035
· Confidence Score: 0.94
· Explanation: Campaign-linked backdoor artifact.
45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
· Confidence Score: 0.94
· Explanation: Confirmed malicious artifact from GTIG publication.
Medium Confidence (0.60 0.89)
These indicators are strongly associated with the exploitation workflow but may overlap with legitimate activity depending on environment.
Tomcat Manager POST deployment activity
· Confidence Score: 0.82
· Explanation: WAR deployment behavior described in exploitation chain; may overlap with legitimate admin actions.
Unexpected JSP file creation under Tomcat webapps directories
· Confidence Score: 0.78
· Explanation: Strong web shell staging indicator; requires environment baseline validation.
Anomalous administrative authentication on RecoverPoint appliance
· Confidence Score: 0.72
· Explanation: Likely post-exploitation artifact but depends on logging visibility.
Low Confidence (0.30 0.59)
These are technique-level or contextual indicators that require correlation with high-confidence artifacts.
Ghost NIC creation and deletion events in VMware environment
· Confidence Score: 0.55
· Explanation: Reported tradecraft, but not uniquely attributable without correlation to confirmed IOCs.
General pivoting into VMware management plane
· Confidence Score: 0.50
· Explanation: Strategic objective described in reporting; specific pivot artifacts not enumerated publicly.
MITRE ATT&CK Campaign Flow
Initial Access
· T1190 Exploit Public Facing Application
Execution
· T1059 Command and Scripting Interpreter
Persistence
· T1053.003 Scheduled Task or Cron
Defense Evasion
· T1070.004 Indicator Removal on Host
Credential Access
· T1552.001 Unsecured Credentials in Files
Command and Control
· T1071.001 Application Layer Protocol Web Protocols
TTPs
Tactics, Techniques, and Procedures (TTPs)
MITRE ATT&CK mapping for active exploitation of Dell RecoverPoint for Virtual Machines hardcoded credential vulnerability CVE-2026-22769.
Initial Access
· T1078 Valid Accounts
o Adversaries leverage the embedded hardcoded credential in RecoverPoint for Virtual Machines to authenticate as an administrative user without needing prior access.
· T1190 Exploit Public-Facing Application
o Attackers target the exposed Tomcat management interface on RecoverPoint appliances to gain entry through the vulnerable management service.
Execution
· T1059 Command and Scripting Interpreter
o Once access is obtained, threat actors execute system-level commands through deployed web shells or backdoor tooling to run arbitrary instructions on the appliance.
· T1106 Native API
o Backdoors such as BRICKSTORM and GRIMBOLT may invoke native OS-level calls for stealthy execution and process interaction.
Persistence
· T1505.003 Server Software Component: Web Shell
o Attackers deploy a malicious WAR or JSP-based web shell (reported as SLAYSTYLE) via Tomcat Manager to maintain persistent remote control.
· T1547 Boot or Logon Autostart Execution
o Backdoor components may configure startup persistence mechanisms on the appliance host to survive reboot.
Privilege Escalation
· T1068 Exploitation for Privilege Escalation
o Following initial foothold, adversaries may escalate privileges to root-level control of the RecoverPoint appliance.
· T1078 Valid Accounts
o Hardcoded administrative authentication inherently provides privileged access.
Defense Evasion
· T1027 Obfuscated/Encrypted File or Information
o GRIMBOLT is reported to use packing and compilation techniques (including UPX) to hinder static analysis and evade detection.
· T1036 Masquerading
o Malicious payloads may be deployed under legitimate-looking Tomcat application names or directories to blend into expected appliance operations.
· T1070.004 Indicator Removal on Host: File Deletion
· Threat actors may remove deployment artifacts and temporary shell files after establishing persistence.
Credential Access
· T1552.001 Unsecured Credentials: Credentials In Files
· The vulnerability itself stems from an embedded credential stored within the appliance software, enabling unauthorized credential retrieval or reuse.
Discovery
· T1082 System Information Discovery
· After compromise, attackers enumerate appliance OS details, kernel version, and virtualization context.
· T1046 Network Service Discovery
· Threat actors may scan internal network services reachable from the RecoverPoint appliance to identify lateral movement targets.
· T1018 Remote System Discovery
· Compromised appliances may be used to identify adjacent VMware infrastructure components.
Lateral Movement
· T1021.004 Remote Services: SSH
o Adversaries may pivot using SSH from the appliance if credentials or keys are obtained.
· T1210 Exploitation of Remote Services
· RecoverPoint footholds may be leveraged to exploit other internal services once positioned inside the environment.
Command and Control
· T1071.001 Application Layer Protocol: Web Protocols
o Backdoors such as BRICKSTORM and GRIMBOLT communicate over HTTP or HTTPS to external command-and-control infrastructure.
· T1105 Ingress Tool Transfer
o Threat actors transfer secondary payloads and backdoor implants onto the appliance after exploitation.
Exfiltration
T1041 Exfiltration Over C2 Channel
· If data theft occurs, attackers may exfiltrate information directly over established backdoor channels.
Impact
T1496 Resource Hijacking
· Compromised appliances could be repurposed for malicious operations, though no confirmed reporting exists at this time.
CVE-2026-22769
CVSS v3.1
· (10.0) /AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Nessus ID
· Not applicable at this time.
KEV List Status
· Yes, this was added to the KEV catalog on February 18, 2026
CISA Patch by Date
· February 21, 2026
Patching Data
Upgrade to 6.0.3.1 HF1 or apply vendor remediation script provided by Dell.
· Patch Release Date
February 17, 2026
URL Link to Patch Information
· Dell advisory listed below in References.
Exploitability
· High.
o Network accessible
o No authentication required
o No user interaction required.
Observed Exploitation Status
· Confirmed active exploitation reported by vendor and external threat intelligence.
Exposure Risk
· High for any reachable management plane or insufficiently segmented VMware environments.
Recommended Action
· Upgrade to RecoverPoint for Virtual Machines 6.0.3.1 HF1 immediately.
· If immediate upgrade is not possible, apply Dell remediation script without delay.
· Restrict access to trusted internal network segments.
Vendor Advisory URL
· Dell Advisory for CVE-2026-22769:
Dell RecoverPoint for Virtual Machines remediation is available for a hardcoded credential vulnerability that could be exploited by malicious users.
URL: hxxps://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079-security-update-for-recoverpoint-for-virtual-machines-hardcoded-credential-vulnerability
Behavior Analysis
· Threat actors exploit a hardcoded credential in Dell RecoverPoint for VMs (pre-6.0.3.1 HF1), enabling unauthenticated remote access and unauthorized OS/root control.
· Exploitation involves authenticating to the Tomcat Manager using the hardcoded admin credential and uploading a web shell named SLAYSTYLE via “/manager/text/deploy.”
· Once in, actors push BRICKSTORM and a newer GRIMBOLT backdoor on the appliance for persistence and remote command execution.
· Adversary cluster UNC6201 likely uses this as a foothold for lateral movement and deeper compromise in target networks.
Expected User-Agent Patterns
· Not applicable at this time — public sources have not yet documented specific User-Agent strings tied to CVE-2026-22769 exploitation.
Payload Examples
· SLAYSTYLE Web Shell uploaded to Tomcat Manager
o Deployed via /manager/text/deploy endpoint to maintain interactive command execution.
· BRICKSTORM Backdoor
o Used historically by China-linked clusters for persistence and extended access.
· GRIMBOLT Backdoor
o A newer backdoor variant bundled using UPX and ahead-of-time compilation to evade analysis.
Log Artifacts
Not applicable at this time — specific vendor or security telemetry logs related to this exploitation campaign have not been disclosed publicly, but typical sources to monitor include:
· Apache Tomcat manager access records
· Web shell upload events
· Unusual root shell invocation logs
· Network connections from the appliance to C2 endpoints
Detection Coverage Matrix
Web Shell Upload Detection
· Monitor Tomcat Manager GET/POST to /manager/text/deploy
Backdoor Persistence
· Hunt for BRICKSTORM/GRIMBOLT artifacts
Anomalous Admin Access
· Monitor unusual privileged access
Network Anomalies
· High risk external communications from appliance
Suggested Rules/ potential hunts
Suricata Rule
Title
· RecoverPoint for VMs Tomcat Manager Deploy Attempt
Purpose
· Detect HTTP POST attempts to the Tomcat Manager deploy endpoint commonly abused to upload a malicious WAR or web shell on RecoverPoint for Virtual Machines.
Tuning explanation
· Limit to HTTP servers you expect to be RecoverPoint or Tomcat management interfaces. If you terminate TLS upstream, ensure Suricata sees decrypted HTTP. Reduce noise by scoping destination to known RecoverPoint management IPs and by requiring a POST plus the exact deploy path.
alert http $EXTERNAL_NET any -> $HOME_NET any (
msg:"RecoverPoint for VMs: Tomcat Manager deploy attempt (possible webshell/WAR upload)";
flow:to_server,established;
http.method; content:"POST";
http.uri; content:"/manager/text/deploy"; nocase;
classtype:web-application-attack;
sid:92622769; rev:1;
)
SentinelOne
Title
· RecoverPoint Tomcat Deploy to New Webapp
Purpose
· Detect suspicious Java Tomcat activity consistent with deploying a new web application via the Manager interface, which may indicate a web shell drop.
Tuning explanation
· Scope to the RecoverPoint appliance or its management VM only. Reduce false positives by allowing known maintenance windows and known admin tooling, and by requiring a chain: Java Tomcat process writes a new WAR or expands a new webapp directory under webapps.
WHEN
Endpoint.Group IN ("RecoverPoint-Appliances")
AND Process.Name IN ("java","java.exe")
AND (Process.CommandLine CONTAINS "/manager/text/deploy" OR Process.CommandLine CONTAINS "catalina")
AND (
File.Write.Path MATCHES "*tomcat*webapps*"
OR File.Write.Path MATCHES "*catalina*webapps*"
OR File.Write.Path ENDSWITH ".war"
)
THEN
Raise Alert: "RecoverPoint Tomcat deploy to webapps (possible webshell/WAR)"
Severity: High
Splunk Detection
Title
Tomcat Manager Deploy Requests on RecoverPoint Assets
Purpose
Find HTTP requests attempting application deployment through Tomcat Manager, a common post access step when hardcoded credentials are abused.
Tuning explanation
Restrict to RecoverPoint hosts, Tomcat access logs, and POST requests. Add allowlists for known admin source IPs and scheduled patching windows. Keep the output fields tight for triage: src, user, uri, status, bytes, and host.
index=web OR index=tomcat OR sourcetype=tomcat:access
host IN (recoverpoint_host1, recoverpoint_host2)
| eval uri=coalesce(uri, request, cs_uri_stem)
| eval method=coalesce(method, http_method)
| search method=POST uri="/manager/text/deploy"
| stats count min(_time) as firstSeen max(_time) as lastSeen values(status) as status values(user) as user by host src uri
| convert ctime(firstSeen) ctime(lastSeen)
YARA
Title
RecoverPoint Suspected Webshell Artifacts in Deployed WAR or JSP
Purpose
Detect common web shell indicators in newly deployed JSPs or WAR extracted content on RecoverPoint Tomcat webapps directories.
Tuning explanation
This is intentionally narrow to reduce false positives by targeting web shell primitives and execution patterns often present in JSP shells. Tune further by scoping to directories used by Tomcat webapps on the RecoverPoint appliance and by adding known benign admin JSP patterns to an allowlist.
rule CyberDax_RecoverPoint_Tomcat_JSP_Webshell_Suspect
{
meta:
title = "RecoverPoint suspected webshell artifacts in deployed JSP/WAR"
purpose = "Identify JSP-based webshell traits in Tomcat webapps content"
tuning = "Run only on Tomcat webapps paths; add allowlist for known vendor JSPs; treat as triage signal, not conviction"
author = "CyberDax LLC"
strings:
$jsp1 = "javax.servlet.http.HttpServlet" ascii
$exec1 = "Runtime.getRuntime().exec" ascii
$exec2 = "ProcessBuilder" ascii
$b64 = "java.util.Base64" ascii
$param = "request.getParameter" ascii
$out = "getWriter()" ascii
condition:
2 of ($exec*) and 1 of ($param,$out) and 1 of ($b64,$jsp1)
}
Sigma
Title
Web Server Log Detection for Tomcat Manager Deploy Attempts
Purpose
Detect POST requests to the Tomcat Manager deploy endpoint that may indicate web shell or malicious application deployment on RecoverPoint.
Tuning explanation
Use only for the RecoverPoint or Tomcat management log sources. Reduce false positives by requiring POST and matching the deploy path, and optionally adding filters for known admin IPs and known maintenance windows.
title: Web Server Log Detection for Tomcat Manager Deploy Attempts
id: 3f2c1c2e-2276-4cve-9d69-000000000001
status: experimental
description: Detects POST requests to /manager/text/deploy indicative of Tomcat webapp deployment activity
logsource:
category: webserver
detection:
selection:
cs-method: "POST"
cs-uri-stem|contains: "/manager/text/deploy"
condition: selection
fields:
- host
- src_ip
- cs-method
- cs-uri-stem
- sc-status
level: high
Behavioral and Technical Artifacts
· Tomcat Manager access followed by WAR deployment leading to JSP web shell staging.
· Outbound traffic to published C2 infrastructure.
· Anomalous administrative authentication events on appliance.
Defender Action Plan (Next Seven Days)
· Day 1 Identify all RecoverPoint instances and confirm versions
· Day 1 Apply remediation script if upgrade not immediate
· Day 2 Upgrade to 6.0.3.1 HF1
· Day 2 Restrict network exposure and validate segmentation
· Day 3 Hunt for published IOC hashes and network indicators
· Days 4–7 Implement durable monitoring and credential hygiene review
References
Dell Technologies Vendor Advisory
· hxxps://www[.]dell[.]com/support/kbdoc/en-us/000426773/dsa-2026-079
Google Cloud Threat Intelligence Group
· hxxps://cloud[.]google[.]com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/
MITRE ATT&CK Techniques
· hxxps://attack[.]mitre[.]org/techniques/
National Vulnerability Database CVE-2026-22769
· hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-22769
CISA Known Exploited Vulnerabilities Catalog CVE-2026-22769
· hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22769
