In the high-stakes world of cybersecurity, the discovery of a vulnerability with a CVSS score of 10.0—a perfect storm of risk—is a rare and alarming event. It becomes even more concerning when that vulnerability is not just a theoretical risk but has been actively exploited in the wild for over a year. Such is the case with CVE-2026-22769, a critical flaw in Dell’s RecoverPoint for Virtual Machines that has been leveraged by suspected Chinese state-sponsored hackers to burrow deep into enterprise networks since mid-2024 .
This article dissects the anatomy of this maximum-severity vulnerability, explores the sophisticated attack chain orchestrated by the threat group known as UNC6201, and analyzes the broader implications for global enterprise security.
Part 1: The Anatomy of a Perfect Score (CVE-2026-22769)
The Vulnerability: A Hardcoded Secret
At its core, CVE-2026-22769 is a testament to an old but devastatingly effective security sin: the use of hard-coded credentials. Discovered and reported to Dell by Peter Ukhanov from Google’s Mandiant team, this vulnerability resides within Dell RecoverPoint for Virtual Machines, a data replication and disaster recovery solution designed specifically for VMware environments .
The flaw exists in the appliance’s embedded Apache Tomcat web interface. Specifically, the configuration file located at `/home/kos/tomcat9/conf/tomcat-users.xml` contained hardcoded administrative credentials for the Tomcat Manager application . These are not passwords that administrators set during deployment; they are baked into the software itself. This means that any attacker who knows where to look (or in this case, simply knows the default credentials) can gain significant control.
The Impact: Root-Level Persistence
The CVSS 3.1 score of 10.0 is reserved for vulnerabilities that are trivial to exploit and have catastrophic consequences. CVE-2026-22769 fits this mold perfectly . The attack vector is remote (AV:N), requires no privileges (PR:N), and needs no user interaction (UI:N). By leveraging these hardcoded credentials, an unauthenticated attacker can authenticate to the Tomcat Manager interface remotely.
Once authenticated, the attacker can deploy a malicious Web Application Archive (WAR file) via the `/manager/text/deploy` endpoint. Because the Tomcat service runs with elevated privileges, this deployment results in arbitrary code execution as root on the underlying operating system. In essence, the attacker is handed the master key to the appliance, allowing them to establish backdoors, steal data, and ensure they can return at will .
Part 2: The Long Con - UNC6201’s 18-Month Campaign
Who is UNC6201?
The group identified as exploiting CVE-2026-22769 is tracked by Mandiant and Google’s Threat Intelligence Group (GTIG) as UNC6201. This is a suspected China-nexus threat cluster known for targeting enterprise network infrastructure. While there are overlaps with another group, UNC5221 (associated with Silk Typhoon), researchers treat them as distinct but likely related entities .
What makes UNC6201 particularly dangerous is its patience and focus. Rather than conducting smash-and-grab raids, they establish long-term, stealthy persistence inside high-value targets—specifically, the disaster recovery and virtual infrastructure layers of large organizations.
The Attack Chain: From Zero-Day to Full Network Pivot
The exploitation of CVE-2026-22769 is not just about dropping a single piece of malware; it is a multi-stage invasion. The earliest evidence of this campaign dates back to mid-2024 .
Stage 1: Initial Access - The WAR Deployment
The attack begins with the exploitation of the vulnerability. Using the hardcoded credentials, UNC6201 sends a `PUT` request to the Tomcat Manager to deploy a malicious WAR file. The observed request looked like this: `PUT /manager/text/deploy?path=/slaystyle&update=true` . This action deployed the SLAYSTYLE web shell onto the appliance, providing the attackers with a persistent foothold and the ability to execute system commands remotely .
Stage 2: Establishing the Foothold - The Malware Trio
With remote command execution secured, the attackers moved to consolidate their control by deploying two primary backdoors:
- BRICKSTORM: An initial backdoor, written in Go, used for persistent access and reconnaissance .
- GRIMBOLT (The Evolution): In September 2025, researchers observed a significant shift. The older BRICKSTORM binaries were replaced with a new, more sophisticated backdoor dubbed GRIMBOLT . This C-based malware was compiled using .NET’s Native Ahead-of-Time (AOT) compilation and packed with UPX. This technique is significant because it eliminates traditional .NET intermediate language metadata, making static analysis extremely difficult and improving execution speed on the resource-constrained RecoverPoint appliances .
Stage 3: Persistence - Hiding in Plain Sight
To ensure they didn't lose access upon system reboot, UNC6201 employed a clever persistence mechanism. They modified a legitimate system script used for host configuration: `/home/kos/kbox/src/installation/distribution/convert_hosts.sh`. By appending the path to their backdoors to this script, they guaranteed that the malware would be executed every time the system started, effectively tying their malicious code to the appliance's core functionality .
Part 3: Beyond the Appliance - The "Ghost NICs" Technique
Perhaps the most fascinating and alarming aspect of this campaign is what the attackers did after compromising the Dell appliance. They didn't just stay on the RecoverPoint box; they used it as a launchpad to infiltrate the wider VMware ecosystem.
Mandiant’s CTO, Charles Carmakal, highlighted a novel technique dubbed "Ghost NICs" . After compromising the virtual infrastructure, UNC6201 would temporarily create new virtual network interfaces (NICs) on existing virtual machines running on VMware ESXi servers. These "ghost" interfaces were fleeting and undocumented.
This technique serves a dual purpose for the attackers:
1. Stealthy Pivoting: It allows them to silently pivot from the compromised appliance into internal networks, SaaS environments, and other restricted areas without triggering alarms on physical hardware .
2. Defense Evasion: For defenders, chasing network traffic from an IP address that is routed to a "ghost" NIC that no longer exists is a forensic nightmare. It leaves investigators tracing ephemeral connections that lead to dead ends .
Furthermore, the group utilized Single Packet Authorization (SPA) via `iptables` on compromised vCenter servers. They set up rules that would monitor port 443 for a specific hex string. If a packet contained this secret knock, the source IP was temporarily allowed to connect to a hidden backdoor on port 10443, creating a covert channel for command and control .
Part 4: Response and the Race to Remediate
The Disclosure and the Patch
Following Mandiant's discovery during incident response engagements, Dell swiftly moved to create a patch. The vulnerability affects a wide range of versions, including 5.3 SP4 P1 and all 6.0 versions prior to 6.0.3.1 HF1 .
On February 17, 2026, Dell published a security advisory (DSA-2026-079) urging customers to upgrade to version 6.0.3.1 HF1 immediately. For those unable to upgrade instantly, Dell also released a remediation script to mitigate the risk .
Government Intervention: CISA’s KEV Mandate
The severity of the active exploitation did not go unnoticed by government authorities. On February 18, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-22769 to its Known Exploited Vulnerabilities (KEV) catalog .
This is a significant step. It means that CISA, based on evidence of active harm, mandated that all Federal Civilian Executive Branch (FCEB) agencies patch their systems within three days—by February 21, 2026. This directive underscores the threat posed not only to private enterprises but to national security infrastructure .
Indicators of Compromise
For defenders, hunting for signs of this intrusion is critical. Key IOCs released by Mandiant and SecPod include :
- C2 Infrastructure:
- IP: `149.248.11.71`
- Endpoint: `wss://149.248.11.71/rest/apisession`
- GRIMBOLT (Backdoor) Hashes:
- `24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c`
- `dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591`
- SLAYSTYLE (Web Shell) Hash:
- `92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a`
- Suspicious Paths:
- `/home/kos/tomcat9/conf/tomcat-users.xml`
- `/var/lib/tomcat9` (WAR deployment location)
- `/home/kos/kbox/src/installation/distribution/convert_hosts.sh` (Modified persistence script)
Conclusion: Lessons Learned in 2026
The CVE-2026-22769 incident is a textbook example of modern cyber-espionage. It highlights several enduring truths about enterprise security. First, the software supply chain matters. A single hardcoded credential in a piece of infrastructure software can bring down an entire organization. Second, disaster recovery is a double-edged sword. Systems designed to save data in an emergency are often trusted implicitly, making them perfect hiding places for attackers. Finally, adversaries evolve. The shift from BRICKSTORM to the AOT-compiled GRIMBOLT shows that threat actors are constantly refining their tools to stay ahead of detection .
For organizations still running Dell RecoverPoint for Virtual Machines, the message from Dell, Mandiant, and CISA is crystal clear: assume compromise, inspect your logs for the IOCs, and patch immediately. The ghosts in the machine may already be lurking.