Threat Signal Report

Dell RecoverPoint for Virtual Machines Zero Day Attack

What is the Attack?	The attack involves the threat cluster UNC6201 (a suspected China-nexus Advanced Persistent Threat (APT)) actively exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines platform. The flaw (CVE-2026-22769) stems from hard-coded credentials embedded within the appliance, allowing unauthenticated remote attackers to gain administrative access. Because RecoverPoint is a disaster recovery and backup solution, successful exploitation gives attackers high-value access to core infrastructure systems that often sit deep inside enterprise networks. Once access is obtained, the attackers deploy web shells and custom backdoors to establish persistent control. According to reporting from Google Threat Intelligence Group, the campaign evolved from earlier BRICKSTORM malware to a newer backdoor called GRIMBOLT, indicating ongoing development and operational maturity. Because it is actively exploited in the wild and affects critical enterprise infrastructure, it represents a significant operational risk for organizations running vulnerable versions of RecoverPoint.
What is the recommended Mitigation?	• Immediately upgrade vulnerable instances of Dell RecoverPoint for Virtual Machines to the fixed release. Dell has released remediations for CVE-2026-22769, and customers are urged to follow the guidance in the official Security Advisory. DSA-2026-079: Security Update for RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability \| Dell US • Restrict the network exposure of RecoverPoint appliances. Ensure the management interface is not internet-facing. • Conduct post-exploitation validation and threat hunting. Review appliance logs for unusual authentication activity.
What FortiGuard Coverage is available?	• FortiGuard Labs is actively monitoring exploitation activity associated with the UNC6201 campaign targeting Dell RecoverPoint for VM. The team continues to track evolving attacker infrastructure, tooling, and tactics, and will provide ongoing intelligence updates, newly identified indicators, and protection guidance as the situation develops. • FortiGuard Antivirus & Behavior Detection protects against known malware families associated with this activity and leverages advanced behavioral analysis to detect and block previously unseen variants, including web shells and custom backdoors deployed post-exploitation. • Indicators of Compromise (IOC) Service: FortiGuard Labs has implemented protections to block all currently known malicious indicators linked to this campaign. Continuous monitoring ensures the rapid addition of newly discovered hashes, domains, IP addresses, and behavioral artifacts. • FortiGuard Incident Response: Organizations that suspect compromise can engage the FortiGuard Incident Response team for rapid investigation, containment, forensic analysis, and remediation support to minimize operational and security impact.