Critical Zero-Day in Dell RecoverPoint for VMs: Chinese APT Exploits Hardcoded Credentials for Root Access Since 2024 + Video

Listen to this Post

Featured Image

Introduction

A maximum-severity zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines has been under active exploitation by suspected Chinese threat group UNC6201 since mid-2024, according to joint research from Google Mandiant and Google Threat Intelligence Group. The flaw, carrying a perfect CVSS score of 10.0, stems from hardcoded credentials in the Apache Tomcat Manager that allow unauthenticated remote attackers to execute arbitrary code with root privileges, effectively compromising the last line of defense for VMware environments . This incident exposes the critical risk of “set-and-forget” security models for disaster recovery infrastructure, where trusted backup systems become primary attack vectors.

Learning Objectives

  • Understand the technical mechanics of CVE-2026-22769 and how hardcoded credentials enable unauthenticated remote code execution
  • Analyze the attack chain from initial compromise to lateral movement using Ghost NICs and SLAYSTYLE web shells
  • Master detection and mitigation techniques, including log auditing, network segmentation, and patch management
  • Learn to identify indicators of compromise (IOCs) associated with BRICKSTORM and GRIMBOLT backdoors

You Should Know

1. Vulnerability Deep Dive: CVE-2026-22769 Technical Analysis

The vulnerability resides in Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1, where hardcoded administrative credentials are embedded within the Apache Tomcat Manager configuration . Attackers with knowledge of these credentials can authenticate to the Tomcat Manager interface and deploy malicious Web Application Archive (WAR) files via the `/manager/text/deploy` endpoint .

Affected versions include:

  • 5.3 SP4 P1
  • 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2
  • 6.0 SP2, 6.0 SP2 P1
  • 6.0 SP3, 6.0 SP3 P1

Exploitation Path:

1. Attacker accesses Tomcat Manager using hardcoded credentials found in /home/kos/tomcat9/tomcat-users.xml
2. WAR file deployed via PUT request: /manager/text/deploy?path=/malicious&update=true
3. Deployed web shell accessible at /malicious/
4. Attacker achieves root-level command execution

Forensic Evidence:

Investigators found suspicious requests in `/home/kos/auditlog/fapi_cl_audit_log.log` targeting Tomcat Manager endpoints. Deployed WAR files were located in /var/lib/tomcat9, with compiled artifacts in `/var/cache/tomcat9/Catalina` .

Step-by-Step Detection Commands (Linux):

 Check Tomcat logs for unauthorized deployments
sudo grep -r "deploy" /var/log/tomcat9/catalina.out
sudo grep -r "manager/text/deploy" /home/kos/auditlog/fapi_cl_audit_log.log

Examine Tomcat users for hardcoded credentials
sudo cat /home/kos/tomcat9/tomcat-users.xml

List recently deployed WAR files
sudo ls -la /var/lib/tomcat9/webapps/
sudo find /var/cache/tomcat9/Catalina -type f -mtime -30

Windows Equivalents (if managing from Windows):

 Using Plink to execute remote commands on affected appliances
plink user@recoverpoint-appliance "sudo grep deploy /var/log/tomcat9/catalina.out"

Using WinSCP to retrieve log files for analysis
winscp.com /command "open sftp://user@recoverpoint-appliance" "get /var/log/tomcat9/catalina.out C:\logs\" "exit"
  1. Attack Chain: From Zero-Day to Full Environment Compromise

The exploitation campaign by UNC6201 demonstrates sophisticated multi-stage attack methodology. Initial access leverages CVE-2026-22769 to deploy the SLAYSTYLE web shell, followed by installation of BRICKSTORM backdoor, later upgraded to GRIMBOLT in September 2025 .

Malware Evolution:

  • SLAYSTYLE: JSP-based web shell for command execution
  • BRICKSTORM: Linux backdoor for persistent access
  • GRIMBOLT: C-written backdoor using native AOT compilation, packed with UPX for stealth

Persistence Mechanism:

Attackers modified legitimate system script /home/kos/kbox/src/installation/distribution/convert_hosts.sh, appending backdoor execution paths. This script runs at boot via rc.local, ensuring persistent access .

Detection Commands:

 Check modified system scripts
sudo grep -r "GRIMBOLT|BRICKSTORM" /home/kos/kbox/src/
sudo cat /etc/rc.local
sudo cat /home/kos/kbox/src/installation/distribution/convert_hosts.sh

Check for unusual processes
sudo ps aux | grep -E "tomcat|java|httpd"
sudo netstat -tlnp | grep -E ":8080|:8443|:10443"

3. Ghost NICs: Novel Lateral Movement Technique

UNC6201 introduced “Ghost NICs”—temporary virtual network interfaces created on VMware ESXi servers to facilitate stealthy lateral movement . This technique evades traditional endpoint detection by using ephemeral network configurations that leave no permanent trace.

How Ghost NICs Work:

1. Attackers compromise vCenter or ESXi hosts

  1. Temporary VMkernel ports created on existing virtual machines

3. Network traffic redirected through these phantom interfaces

4. Interfaces destroyed after use, eliminating forensic evidence

Detection Commands (ESXi Shell):

 List all VMkernel network interfaces
esxcli network ip interface list

Check for recently added interfaces
esxcfg-vmknic -l
grep -r "vmk" /var/log/vmkernel.log

Monitor virtual machine network changes
esxcli vm process list
vim-cmd vmsvc/getallvms | while read id name; do 
echo "VM: $name"
vim-cmd vmsvc/device.getdevices $id | grep -A10 VirtualEthernet
done

PowerCLI (Windows-based VMware management):

 Connect to vCenter
Connect-VIServer vcenter.domain.com

Get all virtual machines and their network adapters
Get-VM | Get-NetworkAdapter | Select Parent, Name, NetworkName, Type

Check for unusual network configurations
Get-VM | Where-Object {$<em>.ExtensionData.Config.Hardware.Device |
Where-Object {$</em>.DeviceInfo.Label -match "temp|ghost|tmp"}}

4. iptables Single Packet Authorization (SPA) Evasion

The SLAYSTYLE web shell implemented sophisticated iptables rules enabling Single Packet Authorization—allowing only specific attackers to access hidden services .

Observed iptables Configuration:

 Rules that redirect traffic containing specific HEX string
iptables -t nat -A PREROUTING -p tcp --dport 443 -m string --string "HEXSTRING" --algo bm -j REDIRECT --to-port 10443

Temporary IP whitelisting
iptables -A INPUT -p tcp --dport 10443 -s $ATTACKER_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 10443 -j DROP

Audit Existing iptables Rules:

 List all NAT rules
sudo iptables -t nat -L -n -v

List all filter rules
sudo iptables -L -n -v

Check for unusual string matching rules
sudo iptables-save | grep -i "string"

Monitor for newly added rules
sudo auditctl -w /sbin/iptables -p wa -k iptables_changes
sudo ausearch -k iptables_changes

Windows Equivalent (if monitoring network appliances):

 Use Plink to check iptables on remote appliance
plink user@recoverpoint-appliance "sudo iptables-save | findstr string"

5. Hardening Dell RecoverPoint for Virtual Machines

Based on Dell’s security advisory DSA-2026-079 and Mandiant’s recommendations, immediate hardening measures are required .

Immediate Remediation:

  1. Upgrade to patched version: 6.0.3.1 HF1 or later

2. If patching impossible: Apply Dell’s remediation script

  1. Network isolation: Ensure management interfaces are not internet-facing

Step-by-Step Hardening Commands:

 Apply remediation script (if provided by Dell)
sudo ./rp4vm_security_update.sh --apply CVE-2026-22769

Change Tomcat Manager credentials
sudo sed -i 's/username="admin"/username="newadmin"/g' /home/kos/tomcat9/tomcat-users.xml
sudo sed -i 's/password="."/password="STR0NG-P@SSW0RD"/g' /home/kos/tomcat9/tomcat-users.xml

Restrict Tomcat Manager access
sudo cat >> /home/kos/tomcat9/webapps/manager/META-INF/context.xml << EOF
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="192.168.1.\d+|10.10.\d+.\d+" denyStatus="404"/>
EOF

Restart Tomcat
sudo systemctl restart tomcat9

Network Segmentation (Firewall Rules):

 Block external access to management interfaces
iptables -A INPUT -i eth0 -p tcp --dport 8080 -j DROP  Tomcat HTTP
iptables -A INPUT -i eth0 -p tcp --dport 8443 -j DROP  Tomcat HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP  SSH
iptables -A INPUT -i eth1 -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT  Internal mgmt only

6. Indicators of Compromise and Threat Hunting

Mandiant and GTIG released comprehensive IOCs for tracking UNC6201 activity .

File Hashes:

GRIMBOLT Backdoor:

– `24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c` (support)
– `dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591` (out_elf_2)

SLAYSTYLE Web Shell:

– `92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a` (default_jsp.java)

BRICKSTORM:

– `aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878`
– `2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df` (splisten)

Network Indicators:

  • C2 IP: `149.248.11.71`
    – C2 Endpoint: `wss://149.248.11.71/rest/apisession`

YARA Rules:

rule G_APT_BackdoorToehold_GRIMBOLT_1 { ... }
rule G_Hunting_BackdoorToehold_GRIMBOLT_1 { ... }
rule G_APT_BackdoorWebshell_SLAYSTYLE_4 { ... }

Threat Hunting Commands:

 File integrity checking
find / -type f -exec sha256sum {} \; | grep -f ioc_hashes.txt

Network connection monitoring
netstat -anp | grep 149.248.11.71
tcpdump -i any -n host 149.248.11.71

Process memory analysis
sudo grep -r "GRIMBOLT" /proc//maps 2>/dev/null
sudo lsof -i @149.248.11.71

7. Windows-Based Management and Monitoring

For organizations managing Dell RecoverPoint from Windows environments, these PowerShell commands facilitate monitoring:

 SSH into appliance and run commands
$session = New-SSHSession -ComputerName recoverpoint-appliance -Credential (Get-Credential)
Invoke-SSHCommand -SessionId $session.SessionId -Command "sudo grep deploy /var/log/tomcat9/catalina.out"

Monitor for suspicious WAR deployments
$warFiles = Invoke-SSHCommand -SessionId $session.SessionId -Command "ls -la /var/lib/tomcat9/webapps/"
if ($warFiles.Output -match ".war") {
Write-Warning "Suspicious WAR files detected"
}

Check running processes
$processes = Invoke-SSHCommand -SessionId $session.SessionId -Command "ps aux | grep -E 'tomcat|java'"
$processes.Output

Close session
Remove-SSHSession -SessionId $session.SessionId

What Undercode Say

The CVE-2026-22769 incident fundamentally challenges our trust in infrastructure components. Dell RecoverPoint, designed as a failsafe for VMware environments, became the attack vector—a devastating irony that underscores how disaster recovery systems must be treated with the same scrutiny as production systems. The hardcoded credential vulnerability, basic in nature yet catastrophic in impact, reveals that even enterprise-grade solutions from major vendors can harbor elementary security flaws.

The sophistication of UNC6201’s post-exploitation techniques—Ghost NICs, SLAYSTYLE web shells, GRIMBOLT backdoors, and iptables-based SPA—demonstrates that threat actors have matured beyond simple ransomware deployment. They are building persistent, stealthy footholds in virtualization layers, the very fabric of modern data centers. The 18-month undetected presence period is particularly alarming, suggesting that current monitoring tools and practices are inadequate for detecting threats that operate at the infrastructure level.

Organizations must recognize that backup and disaster recovery systems are now prime targets. These systems hold the keys to kingdom: credentials, access to all protected VMs, and the ability to restore or destroy data. The “set-and-forget” mentality for backup infrastructure is obsolete. Continuous monitoring, rigorous patch management, and strict network segmentation for management interfaces are no longer optional—they’re survival requirements in the current threat landscape.

Key Takeaways

Backup Systems Are Critical Attack Surfaces: Disaster recovery infrastructure must be treated as crown jewel assets with corresponding security controls, not forgotten components gathering dust in network corners.

Network Segmentation Is Non-Negotiable: Management interfaces for infrastructure appliances must never be exposed to production networks or the internet. The incident would have been impossible if RecoverPoint management were properly isolated.

Prediction

The exploitation of CVE-2026-22769 signals a strategic shift in APT targeting. Threat actors are moving upstream in the attack chain, compromising the systems designed to restore operations rather than just encrypting data. We predict that within the next 12-18 months, we will see similar zero-day vulnerabilities discovered in other major backup and disaster recovery platforms (Veeam, CommVault, Veritas) as researchers and attackers alike recognize these systems as high-value targets.

Furthermore, the Ghost NICs technique will likely be adopted by other threat groups and may evolve into “phantom infrastructure”—temporary, auto-deployed network assets that exist only for the duration of an attack campaign. This will force security teams to develop new detection methodologies focused on ephemeral changes rather than persistent indicators.

The attribution to UNC6201/UNC5221, with potential links to Silk Typhoon (APT27), suggests state-sponsored interest in VMware infrastructure. As organizations continue virtualizing critical workloads, expect increased targeting of hypervisors, vCenters, and virtualization management tools. The next major cyber conflict may be fought not at the application layer, but in the virtualization layer where all applications converge.

References

  • CVE-2026-22769 Detail
  • CSO Online: Chinese hackers exploited zero-day Dell flaw for 1.5 years
  • ThaiCERT: APT Exploits Dell Zero-Day Vulnerability
  • CISO Advisor: APT explora falha crítica em sistema Dell
  • The Cyber Express: Zero-Day in Dell RecoverPoint Exploited
  • Dell Support: Security Scans May Detect Default Plain Text Credentials

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Omar Eldeeb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky