Sonstige Informationen und Dienstleistungen der Regierung: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical vulnerability in Dell RecoverPoint for Virtual Machines, Patch Immediately!

Image
Decorative image
Veröffentlicht : 18/02/2026

. * Last Update: 18/02/2026

    * Affected products:
         → Dell RecoverPoint for Virtual Machines

    * Type: Remote Code Execution (RCE)

    * CVE/CVSS:

  • CVE-2026-22769: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

Dell

Risks

Dell has disclosed a critical vulnerability (CVE-2026-22769) affecting Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. The issue involves a hardcoded credential, which could allow an unauthenticated remote attacker with knowledge of the credential to gain unauthorized access.

The vulnerability has a CVSS v3.1 base score of 10.0 (Critical) and has been reported as being under active exploitation in the wild.

Successful exploitation may lead to:

  • Unauthorized access to the underlying operating system
  • Root-level persistence
  • Full compromise of confidentiality, integrity, and availability

Description

CVE-2026-22769 is caused by the presence of a hardcoded credential within Dell RecoverPoint for Virtual Machines. An unauthenticated attacker who has knowledge of this credential can remotely authenticate to the system over the network without requiring user interaction or privileges.

Because the vulnerability is exploitable over the network, requires no privileges, and no user interaction, it significantly lowers the barrier to exploitation.

All versions prior to 6.0.3.1 HF1 are affected, including multiple 5.3 and 6.0 service pack releases. Organizations should upgrade to version 6.0.3.1 HF1 or apply the vendor-provided remediation script (DSA-2026-079). Systems running older 5.3 versions should first upgrade to a supported release before applying the remediation steps.

Mandiant and Google Threat Intelligence Group (GTIG) have identified a threat actor (UNC6201) exploiting the vulnerability for lateral movement and persistent access, deploying malware such as BRICKSTORM, SLAYSTYLE, and the newer GRIMBOLT backdoor.

Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual infrastructure, including the creation of "Ghost NICs" for stealthy network pivoting and the use of iptables for Single Packet Authorization (SPA). Urgent patching is advised.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-22769
Google - https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day