Executive Summary
Analysis of recent threat intelligence reveals the long-term exploitation of CVE-2026-22769, a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines (VMs). Since mid-2024, threat actors have leveraged hardcoded credentials within the appliance's Tomcat Manager to gain unauthenticated remote access, deploy web shells, obtain root persistence, and pivot into virtualized environments.
Technical Analysis: Vulnerability & Exploitation
CVE-2026-22769 is a hardcoded-credential vulnerability in the Tomcat Manager component of Dell RecoverPoint appliances that permits unauthenticated administrative access.
Initial Access & Execution
- Operators use the tool SLAYSTYLE to exploit the hardcoded credentials and upload malicious WAR files (web shells).
- Uploaded WARs provide remote command execution and lead to root-level persistence on the appliance OS.
Persistent Foothold
- Operators modify
convert_hosts.sh(invoked fromrc.local) to ensure backdoors survive reboots.
Malware Evolution: GRIMBOLT
- In late 2025, actors shifted to GRIMBOLT, an AOT-compiled, UPX-packed C# backdoor that improves execution on constrained appliances and reduces static-detection effectiveness.
Advanced Pivoting: "Ghost NICs" and SPA
- Ghost NICs: attackers create ephemeral, hidden virtual NICs on ESXi VMs to tunnel traffic and pivot without standard forensic artifacts.
- iptables Single Packet Authorization (SPA): appliances monitor port 443 for a hex trigger token, then temporarily whitelist and proxy traffic to port 10443.
Threat Actor Profile: UNC6201 (Silk Typhoon)
| Entity | Role | Relationship |
|---|---|---|
| UNC6201 | Threat Actor | Primary operator targeting CVE-2026-22769 |
| SLAYSTYLE | Exploit Tool | Custom tool designed to exploit the Dell RecoverPoint zero-day. |
| GRIMBOLT | Backdoor | AOT-compiled C# backdoor used for high-performance persistence. |
| BRICKSTORM | Backdoor | Legacy C# backdoor often used in tandem with GRIMBOLT. |
| Silk Typhoon | Intrusion-set | Broader attribution (also known as UNC5221) targeting gov/tech sectors. |
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of Tomcat Manager via hardcoded credentials. |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Modification of convert_hosts.sh for boot-time execution. |
| Evasion | T1027.002 | Software Packing | Use of UPX and Native AOT compilation to hinder analysis. |
| Lateral Movement | T1090 | Proxy | Use of iptables SPA and "Ghost NICs" for stealthy pivoting. |
Mitigation & Recommendations
- Immediate Patching: Upgrade to 6.0.3.1 HF1, 5.3 SP4 P1, or newer versions immediately to remediate the hardcoded credential risk.
- Network Isolation: Ensure RecoverPoint appliances are not exposed to the public internet — place them in isolated management VLANs with strict ingress/egress filtering.
- Persistence Hunting:
- Audit
/usr/local/ipcenter/scripts/convert_hosts.shfor unauthorized modifications. - Check for unauthorized WAR files in the Tomcat
webappsdirectory.
- Audit
- Virtual Infrastructure Audit: Use VMware management tools to scan for unexpected or ephemeral NICs ("Ghost NICs") attached to VMs.
- Traffic Analysis: Monitor for SPA triggers on port 443 followed by redirection to port 10443.
Indicators & References
- Dell advisory: https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22769
- Discovery Credit: https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
If your environment uses RecoverPoint for VMs, prioritize patching and conduct the hunting steps above immediately.