Security researchers from Google Mandiant and the Google Threat Intelligence Group (GTIG) have identified active exploitation of a maximum‑severity zero‑day vulnerability in Dell RecoverPoint for Virtual Machines (RP4VM) by a suspected China‑nexus threat cluster tracked as UNC6201. Read this Cybersecurity Threat Advisory now to mitigate your potential impact of this vulnerability.
What is the threat?
The threat involves exploitation of CVE‑2026‑22769, a critical authentication flaw caused by hard‑coded credentials in Dell RecoverPoint for Virtual Machines (RP4VM). Because these credentials cannot be changed or disabled, attackers with network access can authenticate remotely and gain full administrative control of RP4VM appliances. These systems are deeply embedded in enterprise virtualization and disaster recovery workflows.
Once inside, UNC6201 uses RP4VM as both an access point and persistence mechanism. According to Google Mandiant and GTIG, attackers deploy lightweight backdoors disguised as legitimate services, designed to survive reboots and updates while staying covert. They also repurpose the appliance as a command‑and‑control (C2) relay. This enables internal data exfiltration and command execution that often bypasses perimeter defenses.
With this foothold, attackers harvest credentials and move laterally across virtual infrastructure. Because RP4VM integrates closely with VMware vCenter, ESXi hosts, and protected VMs, UNC6201 can quickly enumerate systems, gather credentials, and pivot deeper into the environment. This behavior aligns with the BRICKSTORM campaign’s emphasis on stealth and long‑term operational access. It often relies on built‑in tools and APIs to blend in with normal activity.
Why is it noteworthy?
This zero‑day carries a CVSS score of 10.0, requiring no authentication and resulting in complete system compromise. It targets infrastructure that organizations typically trust implicitly, increasing the likelihood of widespread and persistent intrusion.
Its link to a China‑nexus espionage group and the broader BRICKSTORM campaign also highlights an ongoing shift toward targeting virtualization, backup, and disaster recovery platforms. These high‑value systems often receive less monitoring than endpoints or perimeter devices.
What is the exposure or risk?
Organizations running RP4VM versions earlier than 6.0.3.1 HF1 are at risk of full administrative compromise. Potential impacts include unauthorized VM access, credential theft, data exfiltration, disruption of recovery operations, and use of the appliance as a pivot point for broader network intrusion. Given RecoverPoint’s critical role in data protection, breaches can threaten data integrity, availability, and confidentiality.
What are the recommendations?
Barracuda strongly advises organizations to take the following immediate actions:
- Upgrade to Dell RecoverPoint for Virtual Machines version 6.0.3.1 HF1 or later.
- Confirm whether RP4VM exists in your environment; RecoverPoint Classic is not affected.
- Limit RP4VM interfaces to trusted networks with proper segmentation.
- Rotate RP4VM, VMware, and connected system credentials if compromise is suspected.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
- https://thehackernews.com/2026/02/dell-recoverpoint-for-vms-zero-day-cve.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.