Maximize the velocity of your software security lifecycle with Endor at https://go.lowlevel.tv/endor

https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day

🏫 MY COURSES
Sign-up for my FREE 3-Day C Course: https://lowlevel.academy

🧙‍♂️ HACK YOUR CAREER
Wanna learn to hack? Join my new CTF platform: https://stacksmash.io

⌨️ KEYBOARD
Like what you hear? Grab a Q5 at https://go.lowlevel.tv/keyboard

🔥COME HANG OUT   
Check out my other stuff: https://lowlevel.tv

Low Level Learning

A Chinese threat actor known as Silk Typhoon (UNC5221) is actively exploiting CVE-2026-22769 in Dell RecoverPoint virtual machine management software. The vulnerability stems from a hardcoded admin password embedded in the software binary, which can be trivially extracted using the 'strings' command. Because the same password is used across all deployments, attackers can use it to deploy a malicious WAR file to the Tomcat server, execute code as root, and install a C-based backdoor called Grimble. The video explains symmetric vs. asymmetric cryptography to illustrate why shared hardcoded keys are dangerous, and proposes solutions like per-deployment key rolling or PKI-based authentication. Silk Typhoon's broader tactics are also covered, including exploiting VPN concentrators and using hidden network interfaces with iptables rules to evade monitoring. Detection signatures from Google Threat Intelligence are shared for defenders using Dell RecoverPoint.

they hardcoded the password. thats the hack.

I’ve seen similar issues in Huawei GPON/ONT devices (like HG8245, HG8546M). They often ship with a hardcoded super-admin account (telecomadmin / admintelecom), and the key problem is that a normal user cannot easily change or disable it from the UI.
While it is technically possible to modify or disable the account by downloading and decrypting the router’s config file (hw_ctree.xml), editing it, and re-uploading it — this requires external tools, manual decryption, and careful reconfiguration. That’s far beyond what an average user can realistically do.

Wonderful. Looks like a responsible needs to be fired.

&quot;The vulnerability stems from a hardcoded admin password embedded in the software binary… &quot;. Really? Geez!