Back

Chinese Hackers Exploit Dell Zero-Day Flaw CVE-2026-22769 Since Mid-2024

Severity: High (Score: 70.4)

Sources: Theregister, Esecurityplanet, Scworld, Techradar, Csoonline

Published: 2026-02-17 · Updated: 2026-03-28

Keywords: exploiting, dell, zero-day, chinese, flaw, group, security

Severity indicators: zero-day, flaw, [CRITICAL: Zero-day Being Exploited]

Summary

A Chinese state-backed hacking group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The flaw, tracked as CVE-2026-22769, features a maximum severity rating due to hardcoded credentials, allowing unauthorized access to VMware virtual machine backups. This exploitation was revealed by Mandiant and the Google Threat Intelligence Group on February 17, 2026.

Source articles (40)

  • From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero — Mandiant · 2026-02-17
    Written by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitati…
  • Chinese hackers exploiting Dell zero-day flaw since mid — Bleepingcomputer · 2026-02-17
    A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024. Security researchers from Mandiant and the Google…
  • Hsckers exploit zero-day flaw in Dell RecoverPoint for Virtual Machines — Cybersecuritydive · 2026-02-17
    Manufacturers fortify cyber defenses in response to dramatic surge in attacks ... Get exclusive insights on cyber threats, essential security ...
  • China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection — Theregister · 2026-02-18
    China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It's all part of a long-running effort to…
  • Dell 0-day exploited by suspected Chinese snoops since 2024 — Theregister · 2026-02-18
    China-linked attackers exploited a maximum-severity hardcoded-credential bug in Dell RecoverPoint for Virtual Machines as a zero-day since at least mid-2024. It's all part of a long-running effort to…
  • Chinese hackers exploited a Dell zero — Cyberscoop · 2026-02-18
    Researchers uncovered more worrying details a long-running cyber espionage campaign suspected to be backed by the Chinese government, exemplifying how such attacks often go undetected until they’ve al…
  • Dell 0-Day Vulnerability Exploited by Chinese Hackers since mid — Cybersecuritynews · 2026-02-18
    A critical zero-day exploitation campaign targeting Dell RecoverPoint for Virtual Machines. The vulnerability, tracked as CVE-2026-22769, carries a maximum CVSSv3.1 score of 10.0 and has been under ac…
  • Dell 0-Day Vulnerability Targeted by Chinese Hackers Since Mid — Gbhackers · 2026-02-18
    GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.
  • Zero — Thecyberexpress · 2026-02-18
    A critical zero-day vulnerability, tracked as CVE-2026-22769, is being actively exploited in Dell Technologies’ RecoverPoint for Virtual Machines. According to Mandiant and Google Threat Intelligence…
  • Dell RecoverPoint Zero — Feeds.Feedburner · 2026-02-18
    GTIG and Mandiant said the zero-day tracked as CVE-2026-22769 has been exploited by UNC6201 since at least 2024.
  • Chinese APT Group Exploits Dell Zero — Infosecurity-Magazine · 2026-02-18
    Dell yesterday released a patch for a critical zero-day vulnerability in its RecoverPoint for Virtual Machines product, which Mandiant said has been silently exploited by a Chinese APT group since 202…
  • Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid — Thehackernews · 2026-02-18
    Join Wiz experts to see how AI and context-aware forensics make cloud investigations faster, clearer, and more reliable. Quantum computers could soon break today’s encryption—join Zscaler’s webinar to…
  • The Hacker - China-linked UNC6201 exploited a CVSS 10.0 (CVE-2026-22769) Dell ... — Facebook · 2026-02-18
    China-linked UNC6201 exploited a CVSS 10.0 (CVE-2026-22769) Dell RecoverPoint zero-day since 2024 using hard-coded credentials.
  • China-linked APT weaponized Dell RecoverPoint zero — Securityaffairs.Co · 2026-02-18
    A suspected Chinese state-linked group exploited a critical Dell RecoverPoint flaw (CVE-2026-22769) in zero-day attacks starting mid-2024. Mandiant and Google’s Threat Intelligence Group (GTIG) report…
  • CVE-2026-22769: Critical Dell RecoveryPoint Zero-Day Exploited in the Wild — Socprime · 2026-02-18
    SOC Prime has recently covered a wave of actively exploited zero-days across major ecosystems, including Apple’s CVE-2026-20700 and Microsoft’s CVE-2026-20805 , alongside a fresh Chrome zero-day case.…
  • Dell Zero-Day Actively Abused by China — Cyberpress · 2026-02-18
    Security firms Mandiant and Google Threat Intelligence Group (GTIG) link the attacks to UNC6201, a threat cluster with strong ties to Silk ...
  • A worrying Dell zero-day flaw has reportedly gone unpatched for nearly two years — Techradar · 2026-02-18
    Dell patched critical flaw in RecoverPoint for Virtual Machines caused by hardcoded credentials · Exploited as a zero - day since mid-2024 by Chinese ...
  • China-linked hackers exploited Dell zero-day since 2024 (CVE-2026-22769) — Helpnetsecurity · 2026-02-18
    A cyberespionage group has been covertly exploiting a zero - day flaw (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since 2024.
  • Dell warns of RecoverPoint for VMs zero-day (exploited since mid-2024) — Guru3D · 2026-02-18
    Dell is warning CVE-2026-22769, a maximum-severity bug ( CVSS 10.0) that's being exploited in the wild. What makes it nasty is that attackers ...
  • CVE-2026-22769 Dell RecoverPoint for Virtual Machines (CVSS 10.0) Threat Analysis — Purple-Ops · 2026-02-18
    Estimated utes. Key Takeaways: Critical Vulnerability: CVE-2026-22769 carries a CVSS score of 10.0 due to hardcoded credentials ...
  • China-linked UNC6201 exploits 10.0 bug in Dell RecoverPoint for VMs since mid — Scworld · 2026-02-18
    Dell released patches on Feb. 17 for a maximum-severity CVSS 10.0 bug in in Dell RecoverPoint for Virtual Machines that the Google Threat Intelligence Group (GTIG) said China-linked UNC 6201 has explo…
  • Dell's Hard-Coded Flaw: A Nation — Darkreading · 2026-02-18
    A China-related attacker has exploited the vendor flaw since mid-2024, allowing it to move laterally, maintain persistent access, and deploy malware. A Chinese nation-state threat actor targeted a Del…
  • UNC6201 is exploiting a high-risk zero-day (CVSS 10.0) in Dell RecoverPoint for Virtual ... — X · 2026-02-18
    Mandiant (part of Google Cloud) (@Mandiant). 7 likes 647 views. UNC6201 is exploiting a high-risk zero-day ( CVSS 10.0) in Dell RecoverPoint for ...
  • Chinese hackers exploited zero — Csoonline · 2026-02-18
    For the past 18 months, a Chinese cyberespionage group has been exploiting a prevously unknown vulnerability in Dell’s RecoverPoint for Virtual Machines, a VM disaster recovery solution. The flaw, pat…
  • Critical CVSS 10 Dell vulnerability actively exploited since 2024 — Thestack.Technology · 2026-02-18
    CVE-2026-22769, a hardcoded credential vulnerability in Dell's recovery tool for VMs, has been exploited in the wild since 2024 warned Mandiant.

Timeline

  • 2024-06-01 — UNC6201 begins exploiting Dell RecoverPoint vulnerability
  • 2026-02-17 — CVE-2026-22769 published
  • 2026-02-17 — Mandiant and GTIG report on UNC6201's activities

CVEs

  • CVE-2026-20700
  • CVE-2026-20805
  • CVE-2026-22769

Related entities

  • Silk Typhoon (Apt Group)
  • Unc5221 (Apt Group)
  • Unc6201 (Apt Group)
  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Brickstorm Campaign (Campaign)
  • Dell (Company)
  • Dell Technologies (Company)
  • China (Country)
  • United States (Country)
  • Government (Industry)
  • Manufacturing (Industry)
  • Technology (Industry)
  • 149.248.11.71 (Ipv4)
  • Brickstorm (Malware)
  • Grimbolt (Malware)
  • Slaystyle (Malware)
  • Spawnant (Malware)
  • Zipline (Malware)
  • T1021 - Remote Services (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1133 - External Remote Services (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1552.001 - Credentials In Files (Mitre Attack)
  • Apache Tomcat (Platform)
  • Dell RecoverPoint For Virtual Machines (Platform)
  • Dell RecoverPoint Zero GTIG (Platform)
  • ESXi (Platform)
  • RecoverPoint (Platform)
  • RecoverPoint For VMs (Platform)
  • VMware ESXi (Platform)
  • VMware (Tool)
  • Iptables (Tool)
  • UPX (Tool)
  • 2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df (Sha256)
  • 24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c (Sha256)
  • 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759 (Sha256)
  • 45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830 (Sha256)
  • 90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035 (Sha256)
  • 92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a (Sha256)
  • aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878 (Sha256)
  • dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591 (Sha256)
  • RecoverPoint Zero-day (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed