DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22769: Rooting Recovery: The Dell RP4VMs Hardcoded Horror Show

#security #cve #cybersecurity

Rooting Recovery: The Dell RP4VMs Hardcoded Horror Show

Vulnerability ID: CVE-2026-22769
CVSS Score: 10.0
Published: 2026-02-17

In a twist of irony that would make Alanis Morissette cringe, Dell's RecoverPoint for Virtual Machines (RP4VMs)—a tool designed to save you from disasters—became the disaster itself. For nearly two years, a hardcoded administrative credential in the Apache Tomcat configuration allowed the China-nexus threat group UNC6201 to treat these appliances like an Airbnb. This isn't a complex buffer overflow or a race condition; it's a 'user=admin, password=password' scenario on a critical infrastructure component, leading to a perfect CVSS 10.0 score and full root compromise.

TL;DR

Dell RecoverPoint for VMs shipped with hardcoded admin credentials in its Tomcat Manager configuration. Threat actor UNC6201 exploited this 0-day for two years to deploy web shells (SLAYSTYLE) and backdoors (BRICKSTORM), gaining root access and lateral movement capabilities. Patch immediately to version 6.0.3.1 HF1.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE: CWE-798 (Hardcoded Credentials)
  • CVSS v3.1: 10.0 (Critical)
  • Attack Vector: Network (AV:N)
  • Privileges Required: None (PR:N)
  • Exploit Status: Active Exploitation (Zero-Day)
  • Threat Actor: UNC6201 (China-Nexus)

Affected Systems

  • Dell RecoverPoint for Virtual Machines 6.0
  • Dell RecoverPoint for Virtual Machines 6.0 SP1
  • Dell RecoverPoint for Virtual Machines 6.0 SP2
  • Dell RecoverPoint for Virtual Machines 6.0 SP3
  • Dell RecoverPoint for Virtual Machines 5.3 SP4
  • RecoverPoint for Virtual Machines: < 6.0.3.1 HF1 (Fixed in: 6.0.3.1 HF1)
  • RecoverPoint for Virtual Machines: 5.3 SP4 P1 (Fixed in: See Vendor Advisory)

Exploit Details

  • Mandiant: Observed zero-day exploitation by UNC6201 deploying SLAYSTYLE and BRICKSTORM malware.
  • Metasploit: Standard Tomcat Manager upload modules (exploit/multi/http/tomcat_mgr_upload) are compatible.

Mitigation Strategies

  • Network Segmentation: Restrict access to ports 8082 and 443.
  • Credential Rotation: Ensure no default accounts exist in Tomcat configuration.
  • Log Monitoring: Alert on access to /manager/* endpoints.

Remediation Steps:

  1. Upgrade to RecoverPoint for Virtual Machines 6.0.3.1 HF1 or later.
  2. Apply Dell Remediation Script ID 000426742 if upgrading is not immediately possible.
  3. Verify tomcat-users.xml does not contain the 'admin' user with hardcoded credentials.
  4. Restart the Tomcat service to apply configuration changes.

References

Read the full report for CVE-2026-22769 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)