Hackers Exploit Dell RecoverPoint Zero-Day to Deploy Stealthy Backdoor
Take action: If you are using Dell RecoverPoint, this is important! Check your Dell RecoverPoint versions and plan a very quick update to 6.0.3.1 HF1 patch to remove the hard-coded admin credentials. Ensure these appliances are isolated from the internet.
Learn More
UNC6201 threat cluster is reported to be exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines. This vulnerability allows unauthenticated attackers to gain root-level persistence on affected appliances.
The flaw is tracked as CVE-2026-22769 (CVSS score 10.0) - hard-coded credentials vulnerability in the Apache Tomcat Manager instance within Dell RecoverPoint for VMs versions prior to 6.0.3.1 HF1. Attackers use the "admin" account credentials found in the tomcat-users.xml file to authenticate to the management interface. Once authenticated, they use the /manager/text/deploy endpoint to upload a malicious WAR file, which deploys a web shell and grants root-level command execution.
To maintain stealth, UNC6201 employs "Ghost NICs", a temporary virtual network interfaces, to pivot into internal or SaaS environments before deleting the interfaces to erase traces. This allows lateral movement while minimizing footprints.
Impacted products:
- RecoverPoint for Virtual Machines Version 5.3 SP4 P1 (Migrate to 6.0 SP3, and then upgrade to 6.0.3.1 HF1)
- RecoverPoint for Virtual Machines Versions 6.0, 6.0 SP1, 6.0 SP1 P1, 6.0 SP1 P2, 6.0 SP2, 6.0 SP2 P1, 6.0 SP3, and 6.0 SP3 P1 (Upgrade to 6.0.3.1 HF1)
- RecoverPoint for Virtual Machines Versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and earlier - (Upgrade to version 5.3 SP4 P1 or a 6.x version)
Dell has released security 6.0.3.1 HF1 updates to address this flaw and recommends immediate upgrades for all affected versions.
