Dell Zero-Day (CVSS 10) Exploited by UNC6201
Security Intel Report: Virtual Infrastructure & Edge Defense
A maximum-severity vulnerability in Dell RecoverPoint for Virtual Machines has been unmasked as a long-running zero-day. Tracked as CVE-2026-22769 with a perfect CVSS score of 10.0, the flaw has been silently exploited since mid-2024 by a suspected PRC-nexus threat cluster dubbed UNC6201.
The exploitation is notable not just for its severity, but for the "invisibility" of the post-compromise tactics. Mandiant and Google Threat Intelligence researchers have detailed how the group employs "Ghost NICs" and "Secret Knocking" techniques to pivot through VMware infrastructure without leaving a trace in traditional network logs.
The Vulnerability: CVE-2026-22769
The flaw is a hardcoded credential vulnerability within the Apache Tomcat Manager instance integrated into Dell RecoverPoint for VMs (versions prior to 6.0.3.1 HF1). Because the "admin" credentials were static and unchangeable in vulnerable versions, unauthenticated remote attackers could:
- Access: Authenticate directly to the Tomcat Manager via the web interface.
- Deploy: Upload malicious Web ARchive (WAR) files containing shells like SLAYSTYLE.
- Escalate: Execute commands with root-level privileges on the underlying appliance OS.
Advanced Evasion: "Ghost NICs"
Once UNC6201 gains root access to a Dell appliance, they pivot into the broader VMware environment using a technique called Ghost NICs. This is a sophisticated method of network virtualization abuse:
- Creation: The actor creates new, temporary virtual network interface cards (NICs) on existing Virtual Machines running on an ESXi host.
- Pivoting: These "ghost" interfaces are mapped to internal segments or even SaaS-facing vLans that the compromised VM shouldn't have access to.
- Destruction: After the lateral movement or data exfiltration is complete, the actor deletes the temporary NIC. Because the NIC only existed in the volatile configuration of the hypervisor, traditional hardware asset inventories and static network maps show no evidence of the breach.
"Secret Knocks": Single Packet Authorization
To maintain stealthy command-and-control (C2), UNC6201 utilizes iptables to implement a "Secret Knock" or Single Packet Authorization (SPA) system.
Standard backdoors leave a port open, which can be spotted by vulnerability scanners. UNC6201’s method keeps the C2 port closed by default. The port only opens for 300 seconds (5 minutes) if it receives a specific "knock"—a sequence of packets or a specially crafted single packet that matches a predefined cryptographic signature. This allows the actors to remain hidden from even the most rigorous external port scans.
The Malware Evolution: BRICKSTORM to GRIMBOLT
Researchers observed a shift in the group’s arsenal in late 2025. The previously identified BRICKSTORM backdoor was replaced with a more advanced variant called GRIMBOLT.
| Feature | BRICKSTORM (Old) | GRIMBOLT (New) |
|---|---|---|
| Language | Go (Golang) | C# (.NET Native AOT) |
| Detection Profile | Often caught by Go-specific signatures. | Native AOT compilation makes it look like a standard system binary. |
| Analysis | Easier to reverse engineer. | Removes metadata, making static analysis extremely difficult. |
Remediation and Hunting
Dell has released a patch (version 6.0.3.1 HF1) to address the hardcoded credentials. However, due to the 400+ day dwell time of this actor, organizations are urged to hunt for evidence of past compromise:
- Audit Tomcat Logs: Check
/home/kos/auditlog/fapi_cl_audit_log.logfor any requests to the/managerpath. - Monitor Hypervisors: Use VMware event logs to search for unauthorized creation and deletion of virtual network adapters (NICs).
- Check Persistence: Inspect
convert_hosts.shon Dell appliances for unauthorized modifications that might trigger a backdoor at boot time.
