Mandiant and Google Threat Intelligence Group have uncovered a critical zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines. This flaw, carrying a maximum CVSS score of 10.0, stems from hard-coded default credentials in the Apache Tomcat Manager, allowing remote attackers to achieve root-level command execution via malicious WAR file deployment. A suspected PRC-nexus threat cluster, UNC6201, has been actively exploiting this vulnerability since mid-2024 to deploy various backdoors and maintain persistent access within targeted environments.
The investigation revealed sophisticated tradecraft, including the use of GRIMBOLT, a C#-based backdoor compiled with Native ahead-of-time (AOT) compilation to evade static analysis. Furthermore, the threat actor demonstrated novel techniques for pivoting through VMware infrastructure, such as creating "Ghost NICs" for stealthy network movement and implementing iptables-based Single Packet Authorization (SPA) to conceal command-and-control traffic. Organizations are urged to apply Dell's remediation patches and monitor for specific forensic artifacts identified in Tomcat logs and system configuration scripts.
Top comments (0)