A major security vulnerability has been identified in a Dell product used by many companies to protect their virtual data. According to reports from Google’s Threat Intelligence Group (GTIG) and the cybersecurity firm Mandiant, a group of hackers linked to China has been exploiting this weakness since at least mid-2024.
The problem affects Dell RecoverPoint for Virtual Machines, a tool designed to help businesses recover their data if their systems fail. As we know it, these types of tools are vital for keeping digital services running, which makes them a prime target for those looking to steal information.
What Went Wrong?
The issue, officially named CVE-2026-22769, involves hardcoded credentials. This means the software came with a built-in username and password that could not be easily changed.
Google researchers noted that an outsider who knew these secret login details could gain total control over the system. Specifically, the flaw allowed attackers to log in as an administrator to the software’s management system and execute commands with the highest level of authority.
Further investigation by Mandiant revealed that the hackers, a group identified as UNC6201, used these details to break into networks. Once inside, they could move around freely and install malicious software to spy on the affected organisations. In one instance, the hackers used a technique called Ghost NICs, where they created temporary virtual network ports to move through the network without leaving a trace.
New Malware GrimBolt Discovered
According to Mandiant and GTIG’s investigation, the hackers have been using a specific type of digital spy tool called BrickStorm, but in September 2025, they began switching to a more advanced piece of malware named GrimBolt.
They also noted that GrimBolt is particularly tricky because it is designed to be very fast and hard for security teams to study. It acts as a backdoor, which is a way for hackers to sneak back into a system whenever they want without being noticed. In this case, the hackers even modified the software’s startup scripts, ensuring that “this shell script is executed by the appliance at boot time,” allowing the malware to remain active indefinitely, Google’s blog post reveals.
How to Stay Safe
Dell has released an official security advisory (DSA-2026-079) urging all users to update their software immediately. The vulnerability is considered critical, receiving the highest possible risk score of 10.0. Dell advised that the flaw “is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability.”
To fix the issue, Dell recommends that customers update to version 6.0.3.1 HF1 or newer as soon as possible. If an immediate update is not possible, users should run a specific security script provided by Dell and ensure the software is kept within a protected internal network rather than being exposed to the public internet.
Expert Commentary
In comments shared with hackread.com, industry experts expressed deep concern over the strategic nature of these attacks. Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, explained that the hackers are “deliberately going after the backup/replication control plane.”
Dani noted that this isn’t just a random attack, as the group “understands modern VMware DR architectures and knows how to live in them quietly,” and warned that because this software orchestrates how data is restored, a compromised system “can influence which copies of data get replicated, where they go, and what gets restored in a disaster.”
Shane Barney, Chief Information Security Officerat Keeper Security, added that targeting these platforms is a calculated move to weaken a company’s ability to recover from any disruption. Barney noted that state-sponsored actors are patient and that “compromising resilience infrastructure is not opportunistic – it’s strategic.”
The root cause, according to Jeremiah Clark, Chief Technology Officerat Fenix24, is often a simple human error during the software’s creation. Clark further added that developers sometimes use hardcoded credentials to save time when testing and “simply forget to go back and change them as the next wave of work piles up.”
