What Happened
On May 8, 2026, CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal Civilian Executive Branch agencies to remediate within three days — an expedited deadline reserved for the most urgent, actively exploited flaws. The vulnerability carries a CVSS score of 10.0, the highest possible rating.
CVE-2026-22769 is a hardcoded-credential vulnerability in Dell RecoverPoint for Virtual Machines, a product used to protect VMware virtual machine workloads with continuous data protection and recovery capabilities. The flaw exists in all versions prior to 6.0.3.1 HF1. Dell RecoverPoint runs Apache Tomcat Manager with a hardcoded “admin” account credential. An unauthenticated remote attacker who knows this credential — and the credential is not secret, as it is embedded in the appliance firmware — authenticates to the Tomcat Manager endpoint and uploads a web shell named SLAYSTYLE via the /manager/text/deploy path. From there, the attacker executes commands as root on the underlying operating system.
Google Mandiant and the Google Threat Intelligence Group (GTIG) attribute active exploitation of this flaw to UNC6201, a China-nexus threat cluster that has been exploiting RecoverPoint appliances since at least mid-2024 — roughly two years before CISA’s public KEV addition. After gaining root access, UNC6201 drops the BRICKSTORM backdoor or its newer variant GRIMBOLT, which incorporates additional detection evasion capabilities. The group uses temporary virtual network interfaces — referred to internally as Ghost NICs — to pivot from compromised VMware environments into internal networks and SaaS-connected systems, then deletes those interfaces to minimize forensic traces.
Why This Matters for Canadian Organizations
Dell RecoverPoint is deployed across enterprises, healthcare systems, government data centres, and managed service providers wherever VMware is the virtualization platform of choice. Because it sits at the backup and recovery layer, a compromised RecoverPoint appliance gives an attacker access to backup data — which often contains copies of all production workloads — and a privileged network position from which to pivot across a VMware environment.
Canadian organizations face a compound risk. First, the exploitation timeline means UNC6201 has had nearly two years to establish persistence in environments running unpatched RecoverPoint appliances. If your organization runs RecoverPoint and has not applied the 6.0.3.1 HF1 patch, you should treat the appliance as potentially compromised and conduct a forensic review, not merely apply the patch and move on. Second, backup infrastructure is not always subject to the same patch cycle discipline as production systems, meaning many organizations running patched VMware environments failed to apply available Dell updates to their recovery appliances.
Under PIPEDA, a compromise of backup infrastructure holding personal information constitutes a data breach requiring assessment and potential notification to affected individuals and the Office of the Privacy Commissioner. The CCCS has tracked UNC6201-aligned Chinese threat activity as part of broader advisories on China-nexus espionage targeting Canadian enterprise and government infrastructure.
What to Do
Apply the Dell RecoverPoint 6.0.3.1 HF1 patch immediately. This is the only complete remediation for CVE-2026-22769. Organizations unable to patch within the next 24 hours should isolate RecoverPoint appliances from internet-facing network segments and restrict Tomcat Manager access to trusted management IP ranges only as a stop-gap measure.
Conduct a forensic review of RecoverPoint appliance logs for evidence of Tomcat Manager authentication activity, web shell deployment, or unexpected outbound network connections. Pay particular attention to temporary virtual network interface creation and deletion, which is UNC6201’s signature evasion technique. If SLAYSTYLE artifacts, BRICKSTORM, or GRIMBOLT indicators are found, treat the incident as a full-environment compromise and engage your incident response team.
Extend patch cycle discipline to backup and recovery infrastructure with the same urgency applied to production systems. Backup appliances sitting on the same network as production VMware environments represent high-value targets for actors seeking data access and lateral movement capability.
Source: BleepingComputer | The Hacker News
