A Chinese nation-state threat actor exploited a critical hard-coded credential vulnerability (CVE-2026-22769) in Dell's RecoverPoint for Virtual Machines since mid-2024. This allowed unauthorized root access to deploy malware, including the Grimbolt backdoor, and move laterally into VMware infrastructure. The flaw stemmed from default admin credentials left in a configuration file, representing a severe supply-chain risk. Dell has released a fixed version and a remediation script for affected customers. The incident highlights the persistent danger of hard-coded credentials in software products.
The main topics covered are: the exploitation of a critical Dell vulnerability by a China-nexus threat actor, the technical details and impact of the hard-coded credential flaw, the malware deployed, and the recommended remediation.
Dell's Hard-Coded Flaw: A Nation-State Goldmine
A China-related attacker has exploited the vendor flaw since mid-2024, allowing it to move laterally, maintain persistent access, and deploy malware.
A Chinese nation-state threat actor targeted a Dell hard-coded credential vulnerability for two years, emphasizing the danger of what happens when a product comes pre-compromised.
Yesterday, Google Cloud's Mandiant detailed CVE-2026-22769, a CVSS 10 vulnerability, in Dell RecoverPoint for Virtual Machines, a data protection product sold by the tech giant. Researchers said suspected China-nexus threat cluster UNC6201 "has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt."
Grimbolt is notable because, as Mandiant chief technology officer (CTO) Charles Carmakal wrote on LinkedIn, "This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer."
The threat actor used the flaw to compromise Dell appliances and, in some cases, pivot to VMware virtual infrastructure. Though Google did not heavily dive into attacker motivations, UNC6201 historically has been known to conduct cyber espionage.
What is most alarming about this campaign is the nature of the vulnerability. While analyzing compromised appliances, Mandiant identified Web requests using the "admin" username directed to the installed Apache Tomcat Manager, which is used to deploy a number of components in RecoverPoint.
"After analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the /manager/text/deploy endpoint, and then execute commands as root on the appliance," the blog post read.
According to Dell's advisory, CVE-2026-22769 is so dangerous because "an unauthenticated remote attacker with knowledge of the hard-coded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence."
The company strongly recommends that affected customers upgrade to a fixed version of RecoverPoint for Virtual Machines (6.0.3.1 HF1) or follow instructions outlined in the advisory to run a remediation script.
Persistence of Hard-Coded Credential Vulnerabilities
CVE-2026-22769 represents one of the most extreme versions of a hard-coded credential flaw, where an attacker can use the keys that come with a product (to some extent) to walk right in the front door and potentially even gain root access.
Neither Dell nor researchers have said exactly how or why these credentials were left in, though, based on Mandiant's research, it could involve a configuration oversight of some kind. Dark Reading contacted Dell for additional information. A spokesperson declined to address the issue but said in a statement, "We have received a report of limited active exploitation of this vulnerability."
Mayuresh Dani, security research manager at Qualys's threat research unit, says CVE-2026-22769 looks like a classic case of an internal or support account "that was never properly removed or made configurable."
"Hardcoded or default accounts are often used to bind internal components together during early development and then become hard to unbind or [are] forgotten once configuration and orchestration code depends on them," Dani tells Dark Reading. "Moreover, security testing efforts are often focused on customer-facing login flows, leaving internal admin endpoints like Tomcat Manager or 'localhost only' ports to get less consistent review. This problem is exacerbated especially in older codebases. Additionally, such solutions are usually patched at a slow pace, and often still carry legacy design sins like embedded credentials."
Hard-coded credential flaws aren't the most common type of vulnerability, but they do pop up regularly. As for why, it varies depending on the product and context.
Sometimes credentials are left in product builds that are intended for internal use only (such as test environments) but make it into production. In some cases, it may be an issue that the team was aware of but did not fix due to deadlines and technical debt.
Martin Jartelius, AI product director at security vendor Outpost24, tells Dark Reading that, in many cases, the oversight is the result of organizations not checking older codebases. "We have seen cases in the IoT/OT space where there are hidden default accounts," he says. "Essentially, the longer a codebase has been around, the more likely you are to encounter this problem."
Meridiano
