CVE-2026-22769: Dell RecoverPoint for Virtual Machines Zero-Day RCE — UNC6201 GRIMBOLT/BRICKSTORM Backdoor Deployment
Critical (CVSSv3.1 10.0) zero-day in Dell RecoverPoint for Virtual Machines actively exploited by UNC6201 (PRC-nexus) since mid-2024. Exploitation enables RCE, lateral movement into VMware infrastructure via 'Ghost NICs', and deployment of GRIMBOLT (C# AOT-compiled), BRICKSTORM, and SLAYSTYLE backdoors with iptables-based Single Packet Authorization for stealth. Immediate network isolation, forensic preservation, patching, and full threat hunt required.
Indicators
- GRIMBOLT backdoor binary present — C# native AOT-compiled executable in non-standard filesystem locations on RecoverPoint appliances
- BRICKSTORM or SLAYSTYLE malware binaries on RecoverPoint appliances or adjacent VMware infrastructure
- Replacement of older BRICKSTORM binaries with GRIMBOLT observed in September 2025 campaigns
- Unauthorized 'Ghost NICs' (virtual network interface cards) attached to VMware VMs — not visible through standard management interfaces
- Anomalous iptables rules implementing Single Packet Authorization (SPA) — hiding backdoor listener ports from network scanners
- Lateral movement activity originating from Dell RecoverPoint appliance IPs toward VMware virtual infrastructure
- Persistent access to RecoverPoint appliances despite credential rotation or apparent remediation
- Outbound connections from RecoverPoint appliances to external C2 infrastructure — low-volume beaconing consistent with BRICKSTORM/GRIMBOLT
Likely causes
- CVE-2026-22769 (CVSSv3.1 10.0): Critical unauthenticated remote code execution vulnerability in Dell RecoverPoint for Virtual Machines, exploited as zero-day by UNC6201 since at least mid-2024
- Initial access achieved via edge appliances (VPN concentrators) as stepping stone to reach RecoverPoint appliances on internal network segments
- Deployment of GRIMBOLT (C# AOT-compiled) as persistent backdoor designed to evade static analysis on resource-constrained appliances
- Use of 'Ghost NICs' to establish covert VMware network pivot points undetectable via standard VMware management tooling
- iptables Single Packet Authorization (SPA) used to hide listening services from standard port scans
Diagnostic steps
-
Audit Dell RecoverPoint for Virtual Machines appliances for BRICKSTORM, GRIMBOLT, and SLAYSTYLE malware binaries. Search for C# AOT-compiled binaries in non-standard filesystem locations. Compare running processes against known-good baseline: `ps aux | grep -v known_process` and `find / -type f -executable -mtime -365 2>/dev/null | xargs file | grep -i 'executable'`Determine whether the appliance is actively compromised and which malware families are present.
-
Inspect iptables rules for Single Packet Authorization (SPA) anomalies: `iptables -L -n -v` and `iptables -t nat -L -n -v`. Compare against documented baseline or deployment documentation.Identify SPA-based hiding of backdoor listener ports used by UNC6201 to conceal active C2 channels from network scanners.
-
Audit all VMware VMs accessible from compromised RecoverPoint appliance for unauthorized 'Ghost NICs'. In vCenter, review each VM's hardware configuration for NICs not provisioned by authorized administrators, especially those connected to non-standard port groups.Detect Ghost NIC network pivot infrastructure created by UNC6201 for stealthy lateral movement into VMware virtual infrastructure.
-
Review network telemetry (firewall logs, NetFlow, DNS) for outbound connections from RecoverPoint appliance IPs to external hosts. Look for repeated low-volume connections consistent with C2 beaconing. Cross-reference against Mandiant/GTIG published IOCs for UNC6201, BRICKSTORM, GRIMBOLT.Identify active or historical C2 communication channels and determine breach scope.
-
Determine installed Dell RecoverPoint for Virtual Machines version on all appliances. Compare against Dell's published remediation advisory for CVE-2026-22769 to confirm patch status.Establish patch status and prioritize remediation effort across the environment.
-
Review authentication and access logs on RecoverPoint appliance and adjacent VMware infrastructure (vCenter, ESXi) for lateral movement from RecoverPoint IPs, unusual service account usage, or privilege escalation from mid-2024 onward.Scope lateral movement and determine which internal systems may have been compromised beyond the initial RecoverPoint foothold.
Resolution path
- 1. IMMEDIATE CONTAINMENT: Network-isolate all affected Dell RecoverPoint for Virtual Machines appliances to prevent ongoing lateral movement and C2 communication. Do not power off before forensic imaging if IR investigation required.
- 2. FORENSIC PRESERVATION: Capture memory and disk images of compromised RecoverPoint appliances prior to remediation. Use `dd` for disk imaging and memory acquisition tools appropriate for the appliance OS. Preserve for IR analysis and potential law enforcement engagement.
- 3. PATCH APPLICATION: Apply Dell's released remediation for CVE-2026-22769 to all Dell RecoverPoint for Virtual Machines appliances. Follow Dell's official remediation advisory for exact procedure and target versions.
- 4. MALWARE REMOVAL: Remove GRIMBOLT, BRICKSTORM, SLAYSTYLE binaries and associated persistence mechanisms (scheduled tasks, init scripts, modified system binaries). Consider full appliance rebuild/reimage given actor sophistication.
- 5. GHOST NIC REMEDIATION: Remove all unauthorized virtual NICs identified on VMware VMs during diagnostic audit. Harden vCenter permissions to restrict unauthorized VM hardware modification.
- 6. IPTABLES CLEANUP: Remove all unauthorized iptables rules including SPA rules. Restore iptables to documented known-good state. Implement monitoring to alert on iptables rule changes.
- 7. CREDENTIAL ROTATION: Rotate all credentials (service accounts, admin accounts, API keys, certificates) associated with RecoverPoint appliances and any VMware infrastructure potentially accessed by UNC6201.
- 8. THREAT HUNT: Conduct broad threat hunt across VMware infrastructure and adjacent network segments using UNC6201, BRICKSTORM, GRIMBOLT, SLAYSTYLE IOCs published by Mandiant/GTIG to identify additional footholds.
Prevention
- Apply vendor patches for Dell RecoverPoint for Virtual Machines promptly — establish patch SLA of 24–72 hours for critical (CVSSv3.1 ≥ 9.0) appliance vulnerabilities from advisory publication
- Segment Dell RecoverPoint appliances on dedicated management VLANs with strict firewall rules permitting only required management traffic; block all direct internet egress from appliance IPs
- Implement continuous monitoring of VMware VM hardware configurations (NICs, storage) using vCenter event logs or CSPM tool to detect unauthorized Ghost NIC additions in near-real-time
- Harden iptables on RecoverPoint appliances using minimal allow-list ruleset; deploy file integrity monitoring and alert on runtime iptables rule modifications
- Enforce least-privilege access to VMware vCenter and RecoverPoint management interfaces; require MFA and privileged access workstations (PAWs) for all administrative sessions
- Conduct periodic threat hunts using current UNC6201, BRICKSTORM, GRIMBOLT, SLAYSTYLE IOCs across all edge and management appliances
- Monitor edge appliances (VPN concentrators, firewalls) for UNC6201 initial access activity — known targeting of edge devices as precursor to internal RecoverPoint exploitation
Tools
- Mandiant/GTIG threat intelligence advisories (IOCs for UNC6201, BRICKSTORM, GRIMBOLT, SLAYSTYLE)
- iptables (Linux — inspect and manage firewall/NAT rules on RecoverPoint appliance)
- VMware vCenter (audit and remove unauthorized Ghost NICs from VMs)
- Dell RecoverPoint management interface (version verification, patch application)
- File integrity monitoring / hash comparison tools (detect malicious binaries)
- NetFlow / firewall log analysis tools (hunt for C2 beaconing)
- Memory and disk forensic imaging tools (preserve evidence before remediation)