Cloud Security

Dell RecoverPoint CVE-2026-22769: Ghost NICs, Backdoors

June 1, 2026 · 8 min read · By William

A CVSS 10.0 hardcoded credential flaw in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) gave China-linked APT group UNC6201 root-level access to enterprise backup infrastructure since mid-2024. The attackers deployed three distinct malware families and pioneered “Ghost NIC” lateral movement through VMware environments. Dell patched the flaw in February 2026, but the 18-month dwell time raises hard questions about visibility into backup appliances.

Key Facts

CVE	CVE-2026-22769
CVSS	10.0 (Critical)
Product	Dell RecoverPoint for Virtual Machines (RP4VMs)
Vulnerable Versions	All versions prior to 6.0.3.1 HF1
Root Cause	Hardcoded Tomcat Manager credentials (CWE-798)
Threat Actor	UNC6201 (suspected China-nexus APT)
Active Exploitation	Since at least mid-2024
Patch	DSA-2026-079, February 17, 2026
Reporter	Peter Ukhanov, Google/Mandiant

The Hardcoded Credential

The vulnerability is straightforward and that is what makes it dangerous. Dell RecoverPoint for VMs ships with default administrative credentials baked into the Apache Tomcat configuration file at /home/kos/tomcat9/tomcat-users.xml. Any attacker who discovers this path — and nation-state actors are good at discovery — can authenticate to the Tomcat Manager interface without touching a single exploit mitigation.

Once authenticated, UNC6201 sent a standard PUT request to /manager/text/deploy to upload a malicious WAR archive. The Tomcat service runs as root, so the deployed web shell inherited full system privileges. No privilege escalation required, no memory corruption to trigger, no race condition to win. Just a password that should never have been there, per Mandiant’s technical analysis.

Dell’s advisory DSA-2026-079 describes the impact plainly: an unauthenticated remote attacker can gain unauthorized access to the underlying operating system and establish root-level persistence. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H confirms network-reachable, low complexity, no privileges, no user interaction, with complete system scope change.

The Malware: Three Stages

UNC6201 did not just drop a single tool and move on. The group deployed a layered malware stack, each component serving a distinct purpose in the intrusion pipeline.

SLAYSTYLE — The Initial Foothold

A WAR-based web shell deployed through the Tomcat Manager exploit. SLAYSTYLE provides persistent remote command execution on the compromised appliance. It was found in both Dell RecoverPoint and VMware vCenter environments, suggesting UNC6201 reuses the same tooling across virtualization targets, according to SecPod’s analysis.

BRICKSTORM — Reconnaissance Backdoor

A Go-based backdoor used for persistent access and infrastructure reconnaissance. Mandiant identified multiple BRICKSTORM binaries on compromised appliances, establishing long-term command and control over the backup infrastructure.

GRIMBOLT — The Replacement

In September 2025, UNC6201 replaced BRICKSTORM with GRIMBOLT, a more sophisticated C# backdoor compiled using .NET Native AOT and packed with UPX. The AOT compilation serves two purposes: it improves performance on resource-constrained appliances and strips Common Intermediate Language (CIL) metadata, making static analysis significantly harder. GRIMBOLT communicates with its C2 server via WebSocket at wss://149.248.11.71/rest/apisession, blending into normal HTTPS traffic as SOC Prime reported.

Persistence was achieved by modifying the legitimate shell script /home/kos/kbox/src/installation/distribution/convert_hosts.sh, which executes at boot via rc.local. A modified system script that launches a backdoor on every restart is brutally effective on appliances where administrators rarely inspect startup scripts.

Ghost NICs and VMware Lateral Movement

The most novel tactic in this campaign is what Mandiant calls “Ghost NICs.” After compromising a RecoverPoint appliance, UNC6201 created temporary virtual network ports on VMware ESXi hosts. These ephemeral interfaces allowed the attackers to pivot from the backup appliance into broader internal networks and toward SaaS infrastructure — without creating persistent virtual switches that might trigger alerts.

On compromised vCenter appliances, the actors deployed iptables rules implementing Single Packet Authorization (SPA). The mechanism works in four steps:

Monitor port 443 for a specific hex string in incoming traffic
Add the matching source IP to an approved list
Allow that IP to connect to port 10443 (the hidden backdoor port)
Redirect port 443 traffic to port 10443 for approved IPs, valid for 300 seconds

This is port knocking evolved. The SPA rules make the backdoor invisible to port scans unless the attacker sends the correct knock sequence. Security teams scanning their vCenter appliances on port 443 would see normal HTTPS — the malicious listener only activates for authenticated sources.

Why Backup Appliances Stay Invisible

Dell RecoverPoint for Virtual Machines sits in an uncomfortable blind spot in most security architectures. It is infrastructure that is critical enough to touch every VM in the environment, yet peripheral enough that nobody installs EDR agents on it. Mandiant’s Charles Carmakal flagged this directly: nation-state actors consistently target systems that do not support EDR solutions, which significantly prolongs intrusion dwell times, as noted in his LinkedIn analysis.

The numbers tell the story. UNC6201 exploited this vulnerability since at least mid-2024. Dell did not patch until February 2026. That is roughly 18 months of unimpeded access to enterprise backup infrastructure for any organization running an unpatched version. The actors had time to map environments, stage payloads, and establish redundant persistence mechanisms.

This is not unique to Dell. Backup and disaster recovery appliances from every major vendor share the same characteristics: embedded operating systems, limited monitoring interfaces, elevated privileges across the virtualization layer, and patching cycles that compete with uptime requirements. FortiGuard’s threat signal on this campaign notes that UNC6201 specifically targets edge appliances and infrastructure systems — precisely because they sit outside the standard detection perimeter. IBM’s latest X-Force report confirms cloud application exploitation surged 44% in 2026, with identity exposure and weak administrative practices driving the trend.

The lesson is structural. If your threat model includes nation-state actors — and for any organization with virtualization infrastructure, it should — backup appliances need the same scrutiny as domain controllers and VPN concentrators. Network segmentation alone does not solve this when the appliance inherently requires broad access to the virtualization layer.

Immediate Actions Required

If your organization runs Dell RecoverPoint for Virtual Machines, treat this as an active incident rather than a routine patch cycle. The remediation priority order matters.

Step 1: Determine exposure. Identify all RecoverPoint for VMs instances and their firmware versions. Anything below 6.0.3.1 HF1 is vulnerable. Check Dell’s advisory DSA-2026-079 for the full list of affected versions, including the 5.3 branch.

Step 2: Hunt for compromise before patching. If the appliance was exposed to the internet or an untrusted network segment, assume compromise. Check the following artifacts:

Tomcat Manager logs at /home/kos/auditlog/fapi_cl_audit_log.log for requests to /manager
WAR deployment directories at /var/lib/tomcat9 and /var/cache/tomcat9/Catalina
The persistence script at /home/kos/kbox/src/installation/distribution/convert_hosts.sh for unauthorized modifications
Catalina logs in /var/log/tomcat9/ for deployWAR events
Network connections to 149.248.11.71 or anomalous WebSocket traffic
iptables rules redirecting port 443 to non-standard ports

Step 3: Patch or apply remediation script. Upgrade to version 6.0.3.1 HF1. Organizations on the 5.3 branch must first migrate to 6.0 SP3, then upgrade. Dell also provides a standalone remediation script for environments where a full upgrade is not immediately feasible.

Step 4: Verify network isolation. Dell explicitly states that RecoverPoint for VMs should be deployed within a trusted, access-controlled internal network. If your instances are reachable from untrusted networks, re-architect the network segmentation immediately.

Step 5: Extend monitoring to backup infrastructure. Deploy network-based detection covering Tomcat Manager access patterns, anomalous WAR deployments, and unexpected outbound connections from backup appliances. Log forwarding from RecoverPoint to your SIEM is not optional.

The Bigger Picture

UNC6201 shows overlaps with UNC5221, the cluster behind the Ivanti VPN zero-day campaigns publicly attributed to Silk Typhoon. While Mandiant does not consider them identical, the shared focus on edge and infrastructure appliances is a clear pattern. These groups are not hunting for zero-days in web browsers or office suites. They target the systems that sit between network segments — VPN concentrators, backup appliances, virtualization managers — because those systems provide lateral movement paths that EDR cannot see. The recent Exchange OWA zero-day CVE-2026-42897 and the BlueHammer Defender zero-day follow the same pattern of infrastructure-level targeting.

CVE-2026-22769 also reinforces a hard truth about hardcoded credentials. This is not a sophisticated vulnerability in the cryptographic sense. It is a deployment hygiene failure that gave an APT group root access to backup infrastructure for 18 months. The sophistication lies entirely in the post-exploitation: Ghost NICs, SPA-based port knocking, Native AOT-compiled malware designed to evade analysis on constrained hardware.

The fix is applied. The question for defenders is whether the fix came soon enough, and whether your backup appliances have been silently owned since 2024.