CISA vulnerability alert at Dell RecoverPoint exploited by NC6201 that forces to park in three days

In recent months, government cybersecurity in the United States has received a strong reminder: vulnerabilities in critical infrastructure products are not a theoretical problem, and when exploited by persistent actors can compromise entire networks for years. The U.S. Infrastructure and Cybersecurity Agency (CISA) has set an urgent pace: it ordered federal agencies to correct a most serious failure in Dell RecoverPoint in just three days, a measure that highlights the real risk that is already materializing in incidents of espionage and sustained access.

The failure in question, registered as CVE-2026-22769, affects RecoverPoint, Dell's solution for backup and recovery of virtual machines in VMware environments. What makes this problem particularly dangerous is not only its technical gravity, but it's about software-embedded credentials - a classic vector that allows an attacker to skip initial controls and move laterally within a network once it gets initial access.

Researchers from multiple cybersecurity companies, including Mandiant and Google's threat intelligence team, have documented that this vulnerability has been actively exploited since at least mid-2024 by a group attributed to China and traced as UNC6201. After taking advantage of the failure, the attackers are not limited to a timely intrusion: they deploy several malicious loads, maintain persistence and obtain capacities to expand their access within the infrastructure involved.

Among the tools identified in these operations is BRICKSTORM, and since September 2025 analysts have observed that the actor began using a new back door called GRIMBOLT. GRIMBOLT stands out for using less common compilation techniques, which makes it difficult to analyse and respond to the sample, and its appearance raises questions about whether the replacement was a planned update or a reaction to response actions led by firms such as Mandiant.

The investigation also shows overlap between the activity of UNC6201 and another group known as Silk Typhoon (also traced as UNC5221), a set attributed to previous cyber-espionage campaigns against U.S. federal entities. Reports of past incidents mention intrusions that affected sensitive agencies such as the Treasury Department, the Foreign Assets Control Office (OFAC) and the Foreign Investment Committee in the United States (CFIUS), which helps frame the potential impact when these gaps affect critical administrations or infrastructure.

In view of the evidence of exploitation in real environments, CISA added CVE-2026-22769 to its catalogue of vulnerabilities known to be exploited ( CISA alert and entry into the KEV) and required compliance with operational directive BOD 22-01, which requires federal agencies to mitigate or patch these failures in very short time. The reason is simple: vulnerabilities exploited in the wild leave little room for waiting and agencies should prioritize inventories, apply official mitigation or, if no correction is available, stop using the product concerned.

This episode is not isolated. The urgency of CISA recalls another recent directive that forced federal agencies to remedy a critical failure in BeyondTrust Remote Support (CVE-2026-1731) with the same three-day period. Independent researchers, such as the authors of the discovery published in Hacktron, also alerted the extensive exposure of instances of this product - thousands of accessible Internet facilities that required manual patches in on- premises deployments -, which increases the risk scale when vulnerabilities become public and exploitable.

Beyond the immediate patch, this chain of incidents highlights several structural problems in the security of business and government infrastructure. First, the presence of embossed credentials or inflexible authentication mechanisms in critical software remains a frequent problem that facilitates the escalation of privileges. Secondly, the complexity of hybrid environments (cloud services combined with on- premises systems) requires security teams to combine automatic patches with manual audits and coordinated responses. Finally, when attackers evolve their tools to evade analysis - as with the new compilation techniques observed in GRIMBOLT - detection and containment require better processes of intelligence exchange and public-private collaboration.

For professionals and IT managers, the lesson is clear: it is not enough to apply a patch when the newsletter appears; you need to know where vulnerable systems are, prioritize the risk-based updates and have response plans that combine detection, containment and recovery. The CISA guidelines provide a legal and operational framework for federal agencies, but the best practices emerging from these cases are applicable to any organization that depends on virtualized support and recovery solutions.

If you want to read the official notices and technical information cited in this text, you can see the CVE entry on vulnerability in RecoverPoint ( CVE-2026-22769), the warning and the incorporation into the CISA catalogue ( CISA announcement and entry into the KEV), and a journalistic summary of the situation that contains technical statements and context on the actors involved ( BleepingComputer). To understand the dimension of similar incidents in other products and the need for an agile response, the publication that discovered the fault in BeyondTrust provides more details ( Hacktron).

When a vulnerability is actively exploited, time is no longer an harmless variable: it is the difference between a contending incident and an intrusion that is settled and produces long-term damage. The invitation for managers and decision makers is simple and urgent: review inventories, apply official mitigation and, where necessary, disconnect unsafe components until reliable patches exist. Security is not just technology; it is will and coordination to reduce exposure windows before the attackers take advantage of them.