CVE-2026-22769: Critical Dell RecoverPoint Zero-Day Exploited in the Wild

Researchers (Mandiant and Google TIG) and vendor advisories confirm active exploitation of CVE-2026-22769 — a CVSS 10.0 hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines — by a China-linked cluster (UNC6201) since mid-2024; attackers used Tomcat Manager access to deploy a WAR containing the SLAYSTYLE web shell, achieved root persistence, deployed backdoors (BRICKSTORM, later GRIMBOLT), and moved laterally inside VMware environments using hidden virtual NICs, while Dell recommends upgrading to 6.0.3.1 HF1 or applying a vendor remediation script.