""This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence," Dell said in a bulletin released Tuesday. "Dell recommends that RecoverPoint for Virtual Machines be deployed within a trusted, access-controlled internal network protected by appropriate firewalls and network segmentation," it noted. "RecoverPoint for Virtual Machines is not intended for use on untrusted or public networks.""
"Per Google, the hard-coded credential relates to an "admin" user for the Apache Tomcat Manager instance that could be used authenticate to the Dell RecoverPoint Tomcat Manager, upload a web shell named SLAYSTYLE via the "/manager/text/deploy" endpoint, and execute commands as root on the appliance to drop the BRICKSTORM bac"
An unauthenticated remote exploit of CVE-2026-22769, a hard-coded credential in Dell RecoverPoint for Virtual Machines, has been weaponized by a suspected China-nexus cluster UNC6201 since mid-2024. The flaw affects RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 and allows authentication to the Dell RecoverPoint Tomcat Manager using an "admin" hard-coded credential. Attackers uploaded a web shell named SLAYSTYLE via the /manager/text/deploy endpoint and executed root commands to deploy BRICKSTORM. Dell advises upgrading affected versions to 6.0.3.1 HF1 or following specified upgrade paths and deploying RecoverPoint within trusted, access-controlled networks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]