CVE-2026-22769

What is Dell RecoverPoint for Virtual Machines?

Dell RecoverPoint for Virtual Machines (RP4VMs) is an enterprise-grade continuous data protection (CDP) and replication appliance deployed as a virtual machine within VMware vSphere environments. It provides near-zero RPO (recovery point objective) disaster recovery by continuously journaling I/O at the hypervisor level and replicating data to local or remote sites. RP4VMs is widely used by enterprises and service providers to protect mission-critical workloads, making it a high-value target: a compromised appliance sits at the intersection of storage, virtualization infrastructure, and network replication paths, giving an attacker persistent access to protected data and lateral movement opportunities across the virtual environment.

Because RP4VMs appliances typically run with elevated trust relationships to both vCenter and ESXi hosts — including the ability to read and write VM disk data — compromise of a single appliance can expose every protected virtual machine in the environment.

Overview

CVE-2026-22769 is a CWE-798 (Use of Hard-coded Credentials) vulnerability in the Apache Tomcat Manager component embedded within Dell RP4VMs. The appliance ships with a static admin password stored in plaintext inside /home/kos/tomcat9/tomcat-users.xml. Because Tomcat Manager is exposed over the network and these credentials are identical across all RP4VMs deployments, any unauthenticated remote attacker who can reach the management interface can immediately authenticate and deploy arbitrary Java web application archives (WAR files), resulting in root-level code execution on the appliance operating system.

The vulnerability carries a maximum CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). No prior authentication, no user interaction, and no special conditions are required. Scope is marked Changed because exploitation of the appliance OS provides a pivot point that extends impact beyond the RP4VMs component itself.

Dell confirmed "limited active exploitation" in DSA-2026-079. Google Threat Intelligence Group (GTIG) and Mandiant attributed exploitation to UNC6201, a suspected PRC-nexus threat cluster with overlaps to the publicly reported Silk Typhoon (UNC5221), operating as a zero-day since at least mid-2024 — more than 18 months before the CVE was published.

Affected Versions

Technical Details

The root cause is the presence of a well-known static credential for the admin account in the Apache Tomcat Manager (version 9) bundled with RP4VMs. The credential is stored in plaintext in /home/kos/tomcat9/tomcat-users.xml and is identical across all appliance deployments — it is neither randomized at install time nor rotated post-deployment.

The attack chain is straightforward and requires only network access to the Tomcat Manager endpoint:

1. Authentication: The attacker submits the known static admin password to the Tomcat Manager HTTP interface.
2. WAR deployment: A malicious Java web application is uploaded via the /manager/text/deploy endpoint — a standard Tomcat feature for application deployment.
3. Root command execution: The deployed WAR is executed by the Tomcat process, which runs as root on the RP4VMs appliance OS, granting full operating system control.
4. Web shell installation: UNC6201 deployed the SLAYSTYLE JSP-based web shell (SHA256: 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a) via this mechanism.
5. Persistence: Attackers modified /home/kos/kbox/src/installation/distribution/convert_hosts.sh to load backdoor payloads at boot via rc.local.

The attack is single-stage, requires no prior foothold, and can be executed with a handful of HTTP requests. The Changed scope rating reflects that the compromised appliance provides direct access to VMware infrastructure, SAN replication streams, and network lateral movement vectors.

Discovery

The vulnerability was discovered and reported to Dell by researchers at Google Threat Intelligence Group (GTIG) and Mandiant. Authors credited in the public disclosure include Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson Jr., and Rich Reece. The CVE was assigned and published on February 17, 2026, coinciding with the release of both the Dell advisory (DSA-2026-079) and the Mandiant threat intelligence report. GTIG's investigation determined that UNC6201 had been exploiting the same hard-coded credentials as an unpatched zero-day since at least mid-2024.

Exploitation Context

UNC6201 is a suspected PRC-nexus threat cluster identified by Google Threat Intelligence Group. The group has overlaps with UNC5221 (Silk Typhoon) though GTIG does not currently treat them as the same actor. Exploitation as a zero-day is confirmed from at least mid-2024 through the February 2026 patch, a window of roughly 18 months.

Over the course of the campaign UNC6201 evolved their malware toolkit:

• BRICKSTORM: An early-stage backdoor providing remote shell capability, used through approximately September 2025. Multiple samples documented (SHA256 hashes: aa688682d..., 2388ed7a..., 320a0b5d..., 90b760ed..., 45313a73...).
• GRIMBOLT: A replacement foothold backdoor written in C#, compiled with native ahead-of-time (AOT) compilation and packed with UPX, introduced around September 2025. AOT compilation removes CIL metadata, complicating static analysis. C2 communicates over WebSocket to wss://149.248.11.71/rest/apisession. Sample SHA256: 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c.

A notable post-exploitation technique was the creation of Ghost NICs — temporary virtual network ports added to existing ESXi VMs — used to pivot from the RP4VMs appliance into internal networks and SaaS infrastructure. Attackers also used iptables Single Packet Authorization (SPA) rules to hide their backdoor listener behind a knock sequence, making the implant invisible to routine network scanning.

Remediation

1. Patch immediately: Upgrade to RecoverPoint for VMs 6.0.3.1 HF1 (the fixed release). Appliances on the 5.3.x branch must first migrate to 6.0 SP3 before applying the hotfix.
2. Remediation script: If immediate upgrade is not possible, apply the Dell-provided remediation script documented in KB000426742, which changes the hard-coded Tomcat credentials.
3. Network isolation: Restrict access to the Tomcat Manager interface (port 8080/8443 or whichever is exposed) to trusted management networks only. RP4VMs management interfaces should never be reachable from untrusted segments.
4. Audit for compromise: Review Tomcat Manager audit logs at /home/kos/auditlog/fapi_cl_audit_log.log for any requests to /manager/text/deploy. Also check /var/log/tomcat9/, /var/lib/tomcat9/, and /var/cache/tomcat9/Catalina/ for unexpected WAR files or compiled artifacts. Look for modifications to /home/kos/kbox/src/installation/distribution/convert_hosts.sh and entries in rc.local. Scan for the SLAYSTYLE, BRICKSTORM, and GRIMBOLT IOCs listed in the Mandiant report. Check for unexpected virtual NICs (Ghost NICs) on any ESXi VMs in the protected environment and audit iptables rules on the appliance for SPA configurations.