Chinese hackers exploited zero-day Dell RecoverPoint flaw for 1.5 years
Summary
A Chinese cyberespionage group, UNC6201, has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines for 1.5 years. The vulnerability stems from hardcoded admin credentials for the Apache Tomcat Manager, allowing unauthenticated attackers to gain command execution as root, and was recently patched by Dell.
IFF Assessment
The exploitation of a zero-day vulnerability for an extended period is bad news for defenders.
Severity
Defender Context
Defenders should patch Dell RecoverPoint for Virtual Machines instances to version 6.0.3.1 HF1 or apply the remediation script released by Dell. This highlights the need for continuous monitoring for unexpected C2 traffic and proactive patching of enterprise infrastructure, especially those related to VMware environments. The use of hardcoded credentials remains a prevalent issue in enterprise software.