Zero-day in Dell RecoverPoint for Virtual Machines (CVE-2026-22769)

Feb. 20, 2026, 1:14 p.m.

Description

A critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines has been discovered and actively exploited. The flaw, identified as CVE-2026-22769, allows attackers to gain root-level access on affected systems. China-linked threat actor UNC6201 has been leveraging this vulnerability in targeted intrusions since mid-2024, deploying custom backdoors like GRIMBOLT and BRICKSTORM for persistence and further compromise. The vulnerability affects versions prior to 6.0.3.1 HF1. Organizations are urged to apply the security patch immediately or use the provided remediation script if patching is not possible. Detection indicators for the malware and network traffic have been provided to help identify potential compromises.

External References

https://www.truesec.com/hub/blog/zero-day-dell-recoverpoint-for-virtual-machines-cve-2026-22769
https://otx.alienvault.com/pulse/69976fb1e346dadacfae5133
Tags
backdoor
vulnerability
china
zero-day
brickstorm
patch
vmware
CVE-2026-22769
grimbolt
slaystyle
2026-02-19
dell
recoverpoint
root access

Date

  • Created: Feb. 19, 2026, 8:16 p.m.
  • Published: Feb. 19, 2026, 8:16 p.m.
  • Modified: Feb. 20, 2026, 1:14 p.m.

Indicators

  • aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878
  • 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c
  • 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830
  • 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a
  • 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759

Attack Patterns

  • SLAYSTYLE
  • BRICKSTORM
  • GRIMBOLT
  • UNC6201

Linked vulnerabilities

CVE-2026-22769

10.0
    Dell
  • Recoverpoint For Virtual Machines
Published: February 17, 2026