Critical Dell Zero-Day Flaw Actively Exploited
A significant zero-day vulnerability in Dell's RecoverPoint storage solution has been actively exploited since mid-2024, according to a recent security briefing. The flaw, which allows unauthenticated root access, has been leveraged by a suspected Chinese threat group using backdoors named Brickstorm and Grimbolt.
- The vulnerability, identified as CVE-2026-22769, is a critical hardcoded credential flaw with the highest possible severity score (10.0 CVSS). It allows a remote attacker who knows the credential to gain root-level access to the underlying operating system of Dell's RecoverPoint for Virtual Machines, a backup and disaster recovery solution for VMware. - The threat actor, designated UNC6201 and suspected to have links to China, has been exploiting this vulnerability since at least mid-2024 to move laterally within networks, maintain persistent access, and deploy additional malware. - Post-exploitation, the attackers deployed a web shell called SLAYSTYLE and the BRICKSTORM backdoor, later replacing BRICKSTORM with a more advanced C# backdoor named GRIMBOLT in September 2025. GRIMBOLT is harder to reverse engineer as it is compiled using native ahead-of-time (AOT) compilation and packed with UPX. - The attackers used novel tactics to pivot into VMware virtual infrastructure, including creating "Ghost NICs" (hidden virtual network interfaces) for stealthy network movement and using Single Packet Authorization to control traffic covertly. - Dell released a patch on February 17, 2026, and urges customers using RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 to upgrade immediately. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply the patch by February 21, 2026. - This incident highlights the significant risk posed by supply chain vulnerabilities to public sector and critical infrastructure, as these organizations are prime targets for cyberattacks that can disrupt essential services and compromise sensitive data. In 2024, 70% of attacks involved critical infrastructure, with 26% exploiting public-facing applications. - While fewer than a dozen organizations are known to have been impacted, the full extent of the campaign is unknown. The attack specifically targets backup and recovery infrastructure, giving attackers access to critical systems deep inside enterprise networks. - The incident is part of a broader trend of escalating cyber espionage from China-nexus groups, which saw a 150% surge in activity in 2024, with a strategic shift towards pre-positioning within critical infrastructure networks for potential future disruptive attacks.
