🛡️ SecOps

China-Nexus UNC6201 Exploits Dell RecoverPoint CVSS 10.0 Flaw to Deploy BRICKSTORM Backdoors

A hardcoded credentials vulnerability in Dell RecoverPoint data replication appliances (CVE-2026-22769, CVSS 10.0) has been exploited since mid-2024 by the China-nexus threat cluster UNC6201, who use access to deploy BRICKSTORM and GRIMBOLT backdoors via a SLAYSTYLE web shell. CISA added the vulnerability to the KEV catalogue in February. Organisations running Dell RecoverPoint should patch immediately and hunt for indicators of compromise.

5 min read
#dell#recoverpoint#hardcoded-credentials#china-nexus#unc6201#apt#brickstorm#espionage#cisa-kev#data-replication

A critical vulnerability in Dell RecoverPoint data replication and disaster recovery appliances has been actively exploited by a China-nexus threat actor since at least mid-2024 — a campaign that only came to public light when Google Cloud Threat Intelligence and Truesec published joint research in February 2026. CVE-2026-22769, which carries a CVSS 10.0 CRITICAL score, stems from hardcoded Apache Tomcat credentials baked into the RecoverPoint appliance image. The threat cluster designated UNC6201 leveraged this access to deploy a multi-stage implant chain — SLAYSTYLE web shell, GRIMBOLT loader, and BRICKSTORM backdoor — across victim environments in financial services, defence contracting, and critical infrastructure sectors.

The Vulnerability: Hardcoded Credentials

Dell RecoverPoint appliances ship with hardcoded authentication credentials for the embedded Apache Tomcat administrative interface. These credentials cannot be changed by administrators through standard configuration — they are baked into the appliance firmware at build time. Any attacker who discovers the hardcoded credential pair can authenticate to the Tomcat management console without any valid organisational credentials, gaining administrative access to the appliance regardless of how the network environment is configured.

Dell issued a patch in November 2025 (DSA-2026-079), and CISA added CVE-2026-22769 to the Known Exploited Vulnerabilities catalogue on 18 February 2026, with a mandatory federal remediation deadline of 21 February. The critical score reflects the combination of no-authentication-required access, network-reachable attack vector, and administrative-level impact on a device that sits in a privileged network position with access to backup and replication data streams.

UNC6201’s Attack Chain

Google Cloud Threat Intelligence attributed the campaign to UNC6201, a China-nexus espionage cluster with overlapping indicators linked to previously reported APT41-adjacent operations. The attack chain is notable for its persistence and stealth:

Initial access: UNC6201 used the hardcoded Tomcat credentials to authenticate to exposed RecoverPoint appliances, likely identified through internet scanning of the Tomcat management port.

Foothold establishment: SLAYSTYLE, a lightweight web shell, was deployed into the Tomcat web application directory, providing persistent HTTP-based command execution that survives appliance restarts.

Capability escalation: GRIMBOLT, a second-stage loader, was delivered via SLAYSTYLE and used to load BRICKSTORM — a full-featured backdoor with encrypted C2 communications, file exfiltration, lateral movement capability, and the ability to tunnel into internal network segments that the RecoverPoint appliance can reach.

Dwell time: The earliest confirmed compromise indicators in victim environments date to mid-2024, meaning UNC6201 maintained access to some victims for over 12 months before discovery. RecoverPoint appliances, which are typically managed by infrastructure teams rather than security teams, are rarely included in regular endpoint detection coverage — a blind spot the threat actor appears to have deliberately exploited.

Why Data Replication Appliances Are High-Value Targets

RecoverPoint appliances occupy a uniquely privileged network position: they sit between production and disaster recovery infrastructure, replicating data across storage arrays in real time. Compromise of a RecoverPoint appliance provides:

  • Read access to replicated data streams — potentially including databases, file shares, and application data being replicated to DR sites
  • Network adjacency to storage infrastructure — connectivity to storage arrays that may not be accessible from standard enterprise segments
  • Long-term persistence — appliances are rarely reimaged and patch cycles for specialised infrastructure are often slower than standard server estate

This makes backup and replication infrastructure a high-value secondary target for espionage actors who have already established initial access and are seeking durable presence and data collection capability.

  • Patch immediately: Apply Dell DSA-2026-079 to all RecoverPoint appliances. The patch removes the hardcoded credentials. Confirm patch application via the Dell support portal.
  • Rotate all credentials used by RecoverPoint appliances for external system authentication — Active Directory service accounts, storage array credentials, vCenter accounts — as a precaution in case these were captured during any compromise window.
  • Hunt for SLAYSTYLE indicators: Review Tomcat web application directories (webapps/ROOT/) for unexpected .jsp, .war, or .class files. Check Tomcat access logs for unusual authenticated requests prior to your patch date.
  • Extend EDR/NDR visibility to appliances: Where possible, ensure RecoverPoint management interfaces are monitored for outbound connections, particularly to unusual external IPs. BRICKSTORM uses encrypted C2 — look for sustained encrypted outbound connections to non-corporate destinations from appliance IPs.
  • Segment RecoverPoint management interfaces: The Tomcat management console should never be reachable from the internet. Confirm firewall rules restrict access to dedicated management VLANs. If internet-exposed, treat the appliance as compromised until proven otherwise.
  • Engage Dell Support: If you cannot confirm patch status or suspect prior compromise, open a case with Dell Professional Services for incident assessment support.

Broader Context

The UNC6201 campaign is a reminder that specialised infrastructure — backup systems, replication appliances, storage controllers — receives far less security scrutiny than standard servers and workstations, despite occupying highly privileged positions in the network. Security teams that focus detection and monitoring investment on the endpoint and perimeter tiers while leaving infrastructure appliances unmonitored create the exact blind spots that sophisticated actors deliberately seek. Inventory, patch, and monitor every device with network access — not just those running a standard OS.

Share this article