In the high-stakes world of cybersecurity, the most dangerous threats are often the ones you cannot see. A disturbing new report from Google Mandiant and the Google Threat Intelligence Group (GTIG) has brought one such threat to light. A maximum severity vulnerability affecting Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, has been actively exploited as a zero-day since mid-2024.
The attacks have been attributed to UNC6201, a suspected China-nexus threat cluster. For organizations relying on Dell’s data protection solutions, this is a critical wake-up call regarding the security of their backup and disaster recovery infrastructure.
Analysis: The Master Key in Your Infrastructure
CVE-2026-22769 is not just a software glitch; it is a fundamental security failure. Rated with a CVSS score of 10.0 (the maximum possible severity), the vulnerability stems from the presence of hard-coded credentials within the software.
Why This Matters
- Instant Access: Hard-coded credentials function as a universal backdoor. Attackers do not need to crack passwords or exploit complex logic; they simply use the credentials baked into the system by the manufacturer.
- Strategic Targeting: RecoverPoint for VMs is used for business continuity and disaster recovery. By compromising this system, attackers not only gain access to the network but also the ability to manipulate or destroy an organization's safety net—their backups.
- Stealthy Operations: The fact that this exploit has been active since mid-2024 without widespread detection highlights the sophistication of UNC6201 and the difficulty of detecting persistence mechanisms within virtualization environments.
Mitigation: Securing Your Virtual Environment
If you are running Dell RecoverPoint for VMs, immediate action is required. Here are the steps we recommend to protect your business:
- Patch Immediately: Check Dell’s security advisory for the latest patches addressing CVE-2026-22769 and apply them without delay.
- Isolate Management Interfaces: Ensure that the management interfaces for your recovery infrastructure are not directly accessible from the internet. Place them behind strict firewalls and VPNs.
- Audit for Compromise: Assume that if the system was unpatched during mid-to-late 2024, it may have been accessed. Conduct a thorough forensic review of logs for suspicious account creation or data exfiltration.
- Credential Hygiene: While hard-coded credentials require a patch, ensure all other administrative passwords for these systems are rotated immediately.
How Security Arsenal Can Help
Defending against advanced persistent threats (APTs) like UNC6201 requires more than just software updates; it requires a proactive security posture. At Security Arsenal, we provide the expertise needed to uncover hidden vulnerabilities before they are exploited.
Our comprehensive Vulnerability Audits go beyond automated scanning to identify critical issues like hard-coded credentials and misconfigurations in your virtual infrastructure. Additionally, our expert Penetration Testing services simulate real-world attack scenarios to stress-test your defenses against zero-day exploitation tactics.
For organizations requiring continuous oversight, our Managed Security team can monitor your environment 24/7 for the indicators of compromise (IoCs) associated with this campaign. If you want to test your team's ability to detect such an intrusion, our Red Teaming operations can provide a full-spectrum assessment of your defensive capabilities.
Detection & Response
Sigma Rules
YAML
title: Potential Dell RecoverPoint Exploit CVE-2026-22769 - Java Service Spawning Shell
id: 0c1a2b3c-4d5e-6f78-9101-112131415161
status: experimental
description: |
Detects the Java service associated with Dell RecoverPoint for Virtual Machines spawning a shell process.
This behavior is indicative of successful exploitation of CVE-2026-22769 (CVSS 10.0), which allows unauthenticated remote code execution.
Threat actors like UNC6201 exploit this vulnerability to gain initial access or execute commands on the backup appliance.
references:
- https://www.google.com/threatanalysisgroup
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.execution
- cve.2026.22769
- detection.emerging_threats
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
Image|endswith:
- '/bash'
- '/sh'
condition: selection
falsepositives:
- Legitimate administrative debugging by vendor support (rare)
level: critical
---
title: Suspicious Shadow Copy Deletion Post-Exploitation
id: 1d2e3f4a-5b6c-7d8e-9f01-121314151617
status: experimental
description: |
Detects attempts to delete Volume Shadow Copies using vssadmin.
Following the compromise of backup infrastructure like Dell RecoverPoint (CVE-2026-22769),
threat actors such as UNC6201 often delete shadow copies to prevent data recovery and ensure impact.
references:
- https://www.google.com/threatanalysisgroup
author: Security Arsenal
date: 2026/04/06
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- System administrator performing backup maintenance or testing recovery procedures
level: high
KQL — Microsoft Sentinel / Defender
KQL — Microsoft Sentinel / Defender
// Hunt for CVE-2026-22769 (Dell RecoverPoint) Exploitation Indicators
// Targets anomalous process execution patterns on Linux devices where a Java/Web service spawns a shell or network utility (RCE to Webshell/C2)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where OSType == "Linux"
// Filter for parent processes associated with Dell RecoverPoint (Java-based) or common web frontends
| where InitiatingProcessFileName in~ ("java", "jre", "tomcat", "nginx", "httpd", "apache", "lighttpd")
// Identify suspicious child processes often used post-exploitation for persistence or C2
| where FileName in~ ("bash", "sh", "dash", "zsh", "perl", "python", "python3", "wget", "curl", "nc", "ncat", "telnet", "chmod")
// Exclude known system maintenance paths if necessary (tune to environment)
| where not(InitiatingProcessCommandLine contains "/usr/lib")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, CommandLine, SHA256
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for CVE-2026-22769 (Dell RecoverPoint) Exploitation by UNC6201
-- Targets: Linux-based Dell RecoverPoint Virtual Appliances
-- Indicators: Java process spawning shells (RCE), webshells in webroots, suspicious outbound connections
-- Identify running processes and resolve SIDs for user context
LET processes = SELECT Pid, Ppid, Name, Exe, Username,
lookupSID(sid=Uid) AS User
FROM pslist()
-- 1. Process Anomaly: Hunt for Java (RecoverPoint) spawning reverse shells
SELECT "Suspicious Process Spawn" AS EvidenceType,
Name AS ProcessName,
Exe AS Path,
User AS RunAsUser,
Ppid AS ParentPID
FROM processes
WHERE Name IN ("/bin/sh", "/bin/bash", "nc", "socat", "python3", "perl")
AND Ppid IN (
SELECT Pid FROM processes
WHERE Name =~ "java" AND Exe =~ "RecoverPoint"
)
-- 2. File System Anomaly: Hunt for recently modified webshells (JSP/JSPX)
SELECT "Potential Webshell" AS EvidenceType,
FullPath,
Size,
timestamp(epoch=Mtime) AS ModifiedTime,
Mode.String AS Permissions
FROM glob(globs=["/opt/RecoverPoint/**/webapps/**/*.jsp",
"/opt/RecoverPoint/**/webapps/**/*.jspx"])
WHERE Mtime > now() - 30 * 24 * 3600 -- Modified in last 30 days
-- 3. File Integrity: Stat the main RecoverPoint directory for unexpected changes
SELECT "Directory Anomaly" AS EvidenceType,
FullPath,
Size,
Mode,
Mtime
FROM stat(path="/opt/RecoverPoint")
WHERE Mtime > now() - 7 * 24 * 3600
-- 4. Network Anomaly: Hunt for outbound connections from the Java service
SELECT "Suspicious Outbound Connection" AS EvidenceType,
RemoteAddress,
RemotePort,
State,
Family
FROM netstat()
WHERE Pid IN (
SELECT Pid FROM processes
WHERE Name =~ "java" AND Exe =~ "RecoverPoint"
)
AND State = "ESTABLISHED"
AND RemoteAddress NOT IN ("127.0.0.1", "::1")
Remediation Script
Bash / Shell
#!/bin/bash
# Title: Dell RecoverPoint CVE-2026-22769 Hardening & IOC Scanner
# Context: Addresses UNC6201 zero-day exploitation targeting RP4VM
# Threat: CVE-2026-22769 (CVSS 10.0)
# OS: Linux (Dell RecoverPoint Virtual Appliance)
# Define the patched version threshold
# Note: Update 'SAFE_VERSION' with the specific build number from the official Dell Security Advisory
SAFE_VERSION="6.0.1.2"
echo "[*] Initiating Assessment for CVE-2026-22769 (Dell RecoverPoint)"
echo "------------------------------------------------------------"
# ----------------------------------------------------------------
# 1. Patch Status Verification (Version Check)
# ----------------------------------------------------------------
echo "[1/4] Verifying Patch Status..."
# RecoverPoint version info is typically located in /etc/recoverpoint/release
# or can be queried via the management CLI.
VERSION_FILE="/etc/recoverpoint/release"
if [ -f "$VERSION_FILE" ]; then
# Extract build version string (format may vary, e.g., BUILD=6.0.1.0)
CURRENT_BUILD=$(grep "BUILD=" "$VERSION_FILE" | cut -d'=' -f2 | tr -d '[:space:]')
# Fallback if specific key not found: grep whole file for version pattern
if [ -z "$CURRENT_BUILD" ]; then
CURRENT_BUILD=$(grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" "$VERSION_FILE" | head -n1)
fi
echo "[+] Detected Build Version: $CURRENT_BUILD"
# Compare versions.
# Logic: If current build is less than safe version, it is vulnerable.
# Note: Simple string comparison used here. For complex semantic versioning, use 'sort -V'.
if [ "$CURRENT_BUILD" \< "$SAFE_VERSION" ]; then
echo "[!!!] CRITICAL: The system is running a VULNERABLE build."
echo "[!!!] Target: CVE-2026-22769. Action: Patch immediately to $SAFE_VERSION or later."
else
echo "[+] System version indicates patching applied (or unaffected release)."
fi
else
echo "[!] Version file not found at $VERSION_FILE. Trying RPM check..."
rpm -qa | grep -i "recoverpoint"
fi
# ----------------------------------------------------------------
# 2. IOC Hunt: Web Shell Detection (UNC6201 TTPs)
# ----------------------------------------------------------------
echo ""
echo "[2/4] Scanning for UNC6201 Web Shell IOCs..."
# UNC6201 is known to drop web shells on vulnerable appliances.
# RP4VM web components are usually Java-based (Jetty/Tomcat).
WEB_ROOTS="/opt/RecoverPoint/vPLEX/gui /var/lib/vmware/vfabric-tc-server/instances/*/webapps"
if [ -d "/opt/RecoverPoint" ]; then
echo "[*] Scanning web directories for recently modified JSP/Java files..."
# Find files modified in the last 14 days to capture zero-day activity
find /opt/RecoverPoint -type f \( -name "*.jsp" -o -name "*.jspx" -o -name "*.class" \) -mtime -14 2>/dev/null | while read FILE; do
# Check for signatures of web shells (Runtime.getRuntime, exec, base64)
if grep -qliE "Runtime\.getRuntime|exec\(|base64_decode|ProcessBuilder" "$FILE"; then
echo "[!!!] HIGH CONFIDENCE IOC: Potential web shell content detected in $FILE"
else
# Flag recent changes in core paths even without content match
echo "[!] Suspicious recent file modification: $FILE"
fi
done
else
echo "[!] Standard RecoverPoint directory (/opt/RecoverPoint) not found."
fi
# ----------------------------------------------------------------
# 3. IOC Hunt: Suspicious Processes (Reverse Shells)
# ----------------------------------------------------------------
echo ""
echo "[3/4] Scanning for Active Reverse Shells..."
# Look for web server users (tomcat/www-data) spawning shells
SUSP_USERS="tomcat|www-data|rp4vm"
ps aux 2>/dev/null | grep -E "$SUSP_USERS" | grep -v grep | while read LINE; do
# Check for reverse shell patterns (bash -i, netcat, perl/python sockets)
if echo "$LINE" | grep -qE "bash -i|nc -l|perl.*e|python.*socket|/bin/sh.*-i"; then
echo "[!!!] SUSPICIOUS PROCESS: $LINE"
fi
done
# ----------------------------------------------------------------
# 4. Network Hardening Check
# ----------------------------------------------------------------
echo ""
echo "[4/4] Checking Network Exposure..."
# Ensure the appliance is not listening on unnecessary ports
# Port 22 (SSH), 443 (Management), 7788-7790 (Internal) are standard.
# Check for non-standard high ports or common trojan ports.
netstat -tuln 2>/dev/null | grep LISTEN | awk '{print $4}' | while read LISTENING; do
PORT=$(echo "$LISTENING" | cut -d':' -f2)
# Alert if listening on all interfaces (0.0.0.0) for non-standard high ports
if [ "$PORT" -gt 10000 ]; then
echo "[!] Unusual high port listening detected: $LISTENING"
fi
done
echo ""
echo "[*] Assessment Complete."
Conclusion
The exploitation of CVE-2026-22769 demonstrates that threat actors are increasingly targeting the foundational layers of IT infrastructure, including disaster recovery systems. The window between vulnerability discovery and exploitation is shrinking. By partnering with Security Arsenal and prioritizing rigorous security testing, you can ensure that your organization remains resilient against even the most sophisticated adversaries.
pentestvulnerabilitysoc
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.