What happened
A suspected Chinese state-backed threat group tracked as UNC6201 exploited a critical hardcoded credential vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, in zero-day attacks beginning in mid-2024. Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) found the flaw allowed unauthenticated attackers to gain root-level access and persistent control over affected systems. After initial compromise, attackers deployed malware including the Grimbolt backdoor and used techniques such as creating hidden “Ghost NIC” network interfaces on VMware ESXi servers to move laterally and maintain access across victim environments. The attacks targeted systems lacking traditional endpoint detection and response tools, enabling long-term persistence within enterprise virtual infrastructure.
Who is affected
Organizations running vulnerable versions of Dell RecoverPoint for Virtual Machines, particularly those using VMware-based virtual infrastructure, are affected, as attackers could gain root-level access and persistent control over backup and recovery systems.
Why CISOs should care
The exploitation of a zero-day vulnerability in enterprise backup and virtualization infrastructure demonstrates how attackers can gain persistent access to critical systems that manage virtual machines and sensitive organizational data.
3 practical actions
- Apply Dell security updates immediately. Upgrade RecoverPoint for Virtual Machines to patched versions to remediate CVE-2026-22769.
- Monitor virtual infrastructure for unusual activity. Detect unauthorized network interfaces, persistence mechanisms, or malware deployment.
- Audit backup and recovery systems. Review systems managing VMware virtual machines for indicators of compromise or unauthorized access.