← CIO Briefings · Critical Impact ACTION REQUIRED

China-Nexus Actors Exploited Dell Backup Appliances for Over a Year — Patch and Hunt Required

A CVSS 10.0 vulnerability in Dell RecoverPoint disaster recovery appliances was exploited by a Chinese state-linked threat group for over 12 months before public disclosure, enabling backdoor deployment and potential access to replicated data. CISA ordered federal remediation in February. Organisations running Dell RecoverPoint must patch immediately and investigate for prior compromise.

3 min read
#NIS2#DORA

Situation

Research published in February 2026 by Google Cloud Threat Intelligence and Truesec revealed that a Chinese state-linked threat cluster (UNC6201) had been exploiting a critical vulnerability in Dell RecoverPoint data replication appliances since at least mid-2024 — over 12 months of undetected access across multiple victim organisations. The vulnerability, CVE-2026-22769 (CVSS 10.0), is a hardcoded Apache Tomcat credential baked into the RecoverPoint appliance firmware. Because these credentials cannot be changed through normal administration, any attacker who discovers them gains immediate, unrestricted administrative access to the appliance management interface from the network.

CISA added the vulnerability to the Known Exploited Vulnerabilities catalogue on 18 February 2026 with a mandatory federal remediation deadline of 21 February. Dell released a patch (DSA-2026-079) in November 2025, but many organisations will not yet have applied it to specialised infrastructure appliances.

Business Impact

RecoverPoint appliances sit at the intersection of production and disaster recovery infrastructure, continuously replicating data from live storage arrays to DR sites. A compromised RecoverPoint appliance gives an attacker:

  • Visibility into replicated data streams — databases, file shares, and application data passing through the replication layer
  • Access to storage and virtualisation infrastructure — RecoverPoint has authenticated connections to storage arrays and vCenter that are not normally reachable from standard enterprise segments
  • Long-term persistence — the BRICKSTORM backdoor deployed by UNC6201 survived standard monitoring and survived across the 12-month dwell period
  • Lateral movement capability — the BRICKSTORM implant includes tunnelling features that allow movement through internal network segments accessible from the appliance

Sectors confirmed in UNC6201’s targeting include financial services, defence contracting, and critical infrastructure. The dwell time of over 12 months before discovery indicates this is an intelligence collection campaign, not ransomware or destructive attack.

Immediate Actions Required

  1. Patch all Dell RecoverPoint appliances — apply DSA-2026-079 immediately. This is the only fix; there is no configuration-only workaround for hardcoded credentials.
  2. Assume prior compromise if the patch has not been applied — if RecoverPoint appliances in your environment have not received the November 2025 patch, treat them as potentially compromised and initiate an incident investigation.
  3. Hunt for SLAYSTYLE web shell artefacts — examine Tomcat web application directories (webapps/ROOT/) on all RecoverPoint appliances for unexpected .jsp, .war, or .class files. Review Tomcat access logs for anomalous authenticated requests.
  4. Review outbound network connections from appliance IPs — BRICKSTORM communicates via encrypted C2 channels. Look for sustained encrypted connections to non-corporate external addresses from RecoverPoint management IPs in firewall and proxy logs.
  5. Rotate all credentials used by RecoverPoint — the appliance holds service account credentials for Active Directory, storage arrays, and vCenter. Rotate all of these as a precaution.
  6. Segment the Tomcat management interface — restrict network access to the RecoverPoint administrative port to dedicated management VLANs only. If it is currently accessible from the internet, the appliance must be treated as compromised.

For Board or Executive Briefing

Chinese state-backed hackers exploited a critical flaw in a class of backup and disaster recovery appliances that many organisations use to protect their most sensitive data. The attackers had access to affected organisations’ networks for over a year without detection, potentially copying data flowing through the backup infrastructure. We are patching the vulnerability and investigating whether our systems were accessed. This is a significant incident in the sector; its impact on our organisation depends on whether our appliances were patched before the attack window began.