Overview
- Dell fixed CVE-2026-22769, a CVSS 10.0 hardcoded Tomcat credential in RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 that enabled unauthenticated root access and persistence, and the company acknowledged limited active exploitation before the patch.
- Mandiant and Google Threat Intelligence Group attribute the activity to UNC6201, which leveraged the flaw since at least mid-2024 to deploy the SlayStyle web shell and the Brickstorm backdoor before shifting to a harder-to-analyze C# variant dubbed Grimbolt around September 2025.
- Intrusions featured novel VMware tradecraft, including temporary hidden network interfaces known as Ghost NICs for stealthy pivoting, plus iptables-based single‑packet authorization and modifications to a startup script to ensure backdoor execution at boot.
- Investigators have confirmed fewer than a dozen affected organizations so far, but they caution the true scope remains unknown and urge hunts for Grimbolt in environments previously targeted with Brickstorm.
- Dell, Mandiant, and GTIG published remediation steps, indicators of compromise, and YARA detections, and defenders are advised to upgrade to 6.0.3.1 HF1, review Tomcat Manager access logs, and search for SlayStyle, Brickstorm, and Grimbolt artifacts on affected appliances.