A critical vulnerability in Dell’s data replication software has been actively exploited as a zero-day since mid-2024 by a suspected China-nexus cyber threat group. The activity, detailed in a new report from Google’s Mandiant and Google Threat Intelligence Group (GTIG), involves the exploitation of a maximum severity flaw in Dell RecoverPoint for Virtual Machines.

Scope of the Vulnerability

The vulnerability, tracked as CVE-2026-22769, carries the highest possible severity rating with a CVSS score of 10.0. According to the researchers, the flaw stems from the use of hard-coded credentials within the software. This type of vulnerability allows unauthorized users to gain access to systems by using pre-programmed, static login information that cannot be changed by an administrator.

The threat group exploiting this weakness has been identified by Mandiant as UNC6201. This cluster is suspected of having links to China based on its observed tactics, infrastructure, and previous targets. The group has reportedly been leveraging the flaw to gain initial access to victim environments since at least the middle of last year.

Impact and Targeted Software

Dell RecoverPoint for Virtual Machines is a software solution designed for disaster recovery and data protection. It enables organizations to replicate and recover virtual machine data across different storage systems and locations. A compromise of this system could provide attackers with a significant foothold within an enterprise network, potentially allowing them to disrupt recovery operations, exfiltrate sensitive data, or move laterally to other critical systems.

The exploitation of a zero-day vulnerability, meaning it was used by attackers before the vendor was aware of it or could provide a patch, indicates a sophisticated and targeted operation. The extended period of exploitation, from mid-2024 until public disclosure, suggests the actors operated stealthily to avoid detection.

Response and Mitigation

Upon discovery and analysis, Google’s threat intelligence teams responsibly disclosed their findings to Dell. In response, Dell has released a security advisory addressing CVE-2026-22769. The advisory provides detailed mitigation steps for affected customers.

The primary recommendation is for users to apply the relevant patches and updates provided by Dell immediately. Organizations are also advised to review their systems for any signs of unauthorized access, particularly focusing on Dell RecoverPoint appliances and management interfaces. Standard security practices, such as network segmentation and strict access controls for management systems, are strongly encouraged to limit the potential impact of such vulnerabilities.

Broader Implications

This incident highlights the ongoing risk posed by advanced persistent threat (APT) groups targeting foundational IT infrastructure. Disaster recovery and backup systems are attractive targets for cyber actors because they often contain copies of critical data and may have privileged access across an environment. A successful compromise can undermine an organization’s ability to respond to a ransomware attack or other disruptive events.

The collaboration between Google’s Mandiant incident response division and its Threat Intelligence Group was instrumental in identifying the campaign and linking it to the UNC6201 cluster. Such research is crucial for understanding the tactics of state-aligned cyber espionage groups and improving collective defense.

Looking ahead, security researchers and intelligence agencies will continue to monitor the activities of UNC6201 for any shifts in strategy or new targets. Organizations globally, especially those in sectors of strategic interest, are advised to treat this disclosure with high priority. Further technical indicators of compromise and detailed analysis of the group’s methods are expected to be published by the cybersecurity community, aiding in detection and response efforts.

Source: Google Mandiant and Google Threat Intelligence Group (GTIG)