Security researchers have identified a critical vulnerability in Dell RecoverPoint for Virtual Machines, a data protection solution. The vulnerability, tracked as CVE-2026-22769 with a CVSS score of 10.0, involves hard-coded credentials that allow unauthorized parties to gain administrative access to the underlying system.
Mandiant, in collaboration with Google Cloud, detailed the findings, noting that a threat cluster tracked as UNC6201—suspected to have a China nexus—has utilized this flaw since at least mid-2024. The activity includes lateral movement within networks, maintaining persistent access, and the deployment of specific tooling including Slaystyle, Brickstorm, and a novel backdoor identified as Grimbolt.
Technical Analysis of the Vulnerability
The vulnerability stems from the inclusion of default administrative credentials within the product's internal components. During their investigation of affected appliances, researchers observed web requests using the "admin" username directed at the Apache Tomcat Manager, a component used to deploy various parts of the RecoverPoint software.
Analysis of the Tomcat Manager configuration files revealed hard-coded default credentials for the admin user located in /home/kos/tomcat9/tomcat-users.xml.
With knowledge of these credentials, an unauthorized party can authenticate to the Dell RecoverPoint Tomcat Manager. From there, they may upload a malicious WAR file via the /manager/text/deploy endpoint, subsequently allowing them to execute commands as the root user on the appliance.
Dell’s advisory confirms the severity of the issue, stating that "an unauthenticated remote attacker with knowledge of the hard-coded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence."
Observed Activity and Tooling
The UNC6201 cluster leveraged this access to compromise Dell appliances and, in certain instances, pivot into VMware virtual infrastructure. While the primary motivation appears to be cyber espionage, the technical methodology is notable for its use of custom tooling.
Mandiant Chief Technology Officer Charles Carmakal highlighted the technical sophistication of the Grimbolt backdoor. "This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer," Carmakal wrote.
This AOT compilation allows the malware to run more efficiently on appliances with limited resources while complicating static analysis efforts.
The Persistence of Hard-Coded Credentials
CVE-2026-22769 serves as a significant case study in the risks associated with static credentials in production software. In this instance, the keys to the system were included within the product build, allowing direct access to administrative functions.
While neither Dell nor the researching team have confirmed the exact origin of the oversight, industry experts suggest it likely involves a configuration error during development. A Dell spokesperson stated, "We have received a report of limited active exploitation of this vulnerability."
Mayuresh Dani, Security Research Manager at Qualys, notes that such vulnerabilities often arise from internal or support accounts that are not properly removed or configured before release.
"Hardcoded or default accounts are often used to bind internal components together during early development and then become hard to unbind or [are] forgotten once configuration and orchestration code depends on them," Dani explained. "Moreover, security testing efforts are often focused on customer-facing login flows, leaving internal admin endpoints like Tomcat Manager or 'localhost only' ports to get less consistent review."
Dani added that this issue is particularly prevalent in older codebases and solutions that may carry "legacy design sins."
Martin Jartelius, AI Product Director at Outpost24, reinforced this view, suggesting that the longer a codebase exists, the higher the probability of encountering hidden default accounts, a pattern frequently seen in IoT and OT environments.
Remediation and Protection
Dell has released a security update to address CVE-2026-22769 and strongly recommends that customers take immediate action to secure their environments.
Organizations using Dell RecoverPoint for Virtual Machines should:
Upgrade immediately to version 6.0.3.1 HF1.
Apply the remediation script outlined in the official advisory if an immediate upgrade is not feasible.
By removing the static credentials or updating the software to a version where they are secured, organizations can effectively close this vector and protect their infrastructure from unauthorized access.