A suspected Chinese espionage group exploited hardcoded admin credentials in Dell RecoverPoint for Virtual Machines to deploy web shells and maintain persistence in enterprise VMware environments.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A Chinese cyberespionage group tracked as UNC6201 exploited a critical zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines for approximately 18 months. The flaw stems from hardcoded admin credentials in Apache Tomcat Manager, enabling unauthenticated root-level command execution via malicious WAR file deployment. Mandiant researchers discovered the vulnerability while investigating C2 traffic linked to backdoors BRICKSTORM and GRIMBOLT, plus a web shell called SLAYSTYLE. The attackers also employed novel evasion techniques including deploying 'ghost NICs' on VMware ESXi VMs to obscure network activity. Dell has released a patch (version 6.0.3.1 HF1) and a remediation script for affected versions.

Chinese hackers exploited zero-day Dell RecoverPoint flaw for 1.5 years