Dell’s Hard-Coded Flaw: A Nation-State Goldmine
Summary
A China-related threat cluster (UNC6201) exploited a critical Dell RecoverPoint for Virtual Machines vulnerability (CVE-2026-22769, CVSS 10) since at least mid-2024. Mandiant / Google Cloud disclosed that attackers used hard-coded Tomcat admin credentials found in /home/kos/tomcat9/tomcat-users.xml to authenticate to the Tomcat Manager, upload malicious WAR files via /manager/text/deploy, and execute commands as root on affected appliances.
The intruders used this access to move laterally, persist and deploy malware families including Slaystyle, Brickstorm and a new C# AOT-compiled backdoor tracked as Grimbolt. Dell has issued fixes (RecoverPoint for Virtual Machines 6.0.3.1 HF1) and remediation guidance; customers are urged to patch or run the provided script.
Key Points
- CVE-2026-22769 is a critical hard-coded credential issue in Dell RecoverPoint for Virtual Machines — unauthenticated attackers with the credential can gain root access.
- Threat cluster UNC6201 (China-related) has exploited the flaw since mid-2024 to achieve lateral movement, persistence and malware deployment.
- Attack chain: hard-coded “admin” credentials in Tomcat config → authenticate to Tomcat Manager → upload malicious WAR via /manager/text/deploy → execute commands as root.
- Notable malware observed: Slaystyle, Brickstorm and Grimbolt (a C# backdoor compiled AOT, harder to reverse-engineer).
- Dell recommends upgrading to RecoverPoint 6.0.3.1 HF1 or running the remediation script; organisations should also inspect appliances, rotate credentials and hunt for indicators of compromise.
Context and Relevance
This is an extreme example of the risk posed by embedded or forgotten credentials: when a product ships with usable internal keys or accounts, it can be treated by attackers as a front door. The issue highlights common root causes — legacy codebases, internal/test accounts making it into production, and limited security testing of admin or “localhost-only” endpoints.
For security teams and infrastructure owners, this matters because appliance compromises can be leveraged to pivot into virtual infrastructure (VMware in some cases), widening the blast radius. It also underlines the need for deeper code and configuration hygiene checks in long-lived products and supply-chain scrutiny for vendor appliances.
Author note (punchy)
This one stings: a hard-coded admin account turned a data-protection appliance into a nation-state foothold. If you run RecoverPoint appliances — patch now, check for WAR deployments, and hunt for persistence. Don’t wait for a formal advisory to become your incident.
Why should I read this?
Short version: this is messy and important. A default, baked-in credential let attackers walk in, drop a backdoor that’s been live for ages, and hop around your virtual estate. If you manage Dell RecoverPoint or similar appliances, reading this saves you from being the next headline — patch, scan and lock down those admin endpoints now.
Recommended immediate actions
- Apply Dell’s fixed version (RecoverPoint for Virtual Machines 6.0.3.1 HF1) or follow the remediation script.
- Inspect Tomcat Manager logs and deployed WAR files on appliances; hunt for signs of Grimbolt, Slaystyle, Brickstorm and related IOCs.
- Rotate any embedded or default credentials, and audit appliance configurations for other hard-coded accounts.
- Review patching cadence and security testing for internal admin endpoints and legacy codebases.
- Monitor for lateral movement to VMware or other infrastructure components and prepare incident response playbooks.