A new report from Google Mandiant and Google Threat Intelligence Group (GTIG) claims that since mid-2024, a suspected China-nexus threat cluster known as UNC6201 has been using a maximum severity security flaw in Dell RecoverPoint for Virtual Machines as a zero-day exploit This article explores security flaw dell. . CVE-2026-22769 (CVSS score: 10.0), a case of hard-coded credentials affecting versions before 6.0.3.1 HF1, is exploited in this activity.

RecoverPoint Classic and other products are not susceptible to the defect. In a bulletin issued Tuesday, Dell stated, "This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence."

The following products are affected: RecoverPoint for Virtual Machines Version 5.3 SP4 P1: Virtual Machine Migration from RecoverPoint Upgrade from 5.3 SP4 P1 to 6.0 SP3 before moving on to 6.0.Upgrade to 6.0.3.1 HF1 RecoverPoint for Virtual Machines Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1. 5.3 SP2, 5.3 SP3, 5.3 SP4, and previous versions - Apply the required remediation after upgrading to version 5.3 SP4 P1 or a 6.x version. It stated that "Dell advises that RecoverPoint for Virtual Machines be implemented within a reliable, access-controlled internal network that is safeguarded by suitable firewalls and network segmentation."

Additionally, iptable commands used through the web shell to carry out the following set of tasks were discovered during an examination of the compromised VMware vCenter appliances: Monitor incoming traffic on port 443 for a particular HEX string Add the traffic's source IP address to a list; if it appears and connects to port 10443, the connection is accepted. If the IP is on the authorized list, silently reroute any further traffic to port 443 to port 10443 for the next 300 seconds, or five minutes. In September 2025, the threat actor was also observed substituting GRIMBOLT for outdated BRICKSTORM binaries.

It's unclear what caused the switch to the more difficult-to-detect malware, whether it was a planned change or a reaction to BRICKSTORM's public revelations, even though GRIMBOLT shares the same command-and-control (C2) and remote shell capability as BRICKSTORM. According to Carmakal, "Nation-state threat actors continue targeting systems that don't commonly support EDR solutions, which significantly prolongs intrusion dwell times and makes it very difficult for victim organizations to know they are compromised." The revelation comes as Dragos issued a warning about attacks by Chinese organizations such as Volt Typhoon (also known as Voltzite) that compromise Sierra Wireless Airlink gateways in the oil and gas and electric sectors before shifting to engineering workstations to dump configuration and alarm data.

The cybersecurity firm claims that the activity happened in July 2025.