US EditionDell 0-day exploited by suspected Chinese snoops since 2024
A China-linked group exploited a critical Dell vulnerability since mid-2024 to deploy multiple backdoors, affecting fewer than a dozen organizations, researchers said.
- On Tuesday, Dell Technologies disclosed and patched CVE-2026-22769, a hardcoded credential flaw exploited by suspected PRC-linked UNC6201 since mid-2024, Google Threat Intelligence Group and Mandiant reported.
- GTIG and Mandiant found the attackers aim to backdoor machines for long-term access, targeting appliances without EDR to remain undetected over 400 days.
- Technical telemetry reveals the use of Ghost NICs and the replacement of Brickstorm with Grimbolt in September 2025, while attackers exploited a hardcoded Apache Tomcat password to deploy a Slaystyle web shell and modified convert_hosts.sh for persistence.
- The flaw carries a 10/10 severity score, and Dell is urging customers to implement mitigations immediately while CISA, NSA, and Canadian Centre for Cyber Security released guidance last week.
- Analysts warn the actor is likely still active in unpatched and remediated environments, and Mandiant discovered the vulnerability while investigating a backdoored victim environment with less than a dozen known impacted organizations.
12 Articles
12 Articles
Chinese hackers exploited a Dell zero-day for 18 months before anyone noticed
Researchers uncovered more worrying details about a long-running cyber espionage campaign suspected to be backed by the Chinese government, exemplifying how such attacks often go undetected until they’ve already caused significant damage. Google Threat Intelligence Group and Mandiant said the Chinese threat group UNC6201 has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The group over…
China-linked hackers exploited Dell zero-day since 2024 (CVE-2026-22769)
A suspected China-linked cyberespionage group has been covertly exploiting a critical zero-day flaw (CVE-2026-22769) in Dell’s RecoverPoint for Virtual Machines software since at least mid-2024, according to new research from Google’s threat intelligence team and Mandiant. The attackers deployed stealthy backdoors (BRICKSTORM and GRIMBOLT), a webshell (SLAYSTYLE) and maintained long-term access inside targeted networks. “Beyond the Dell applianc…
China-linked APT weaponized Dell RecoverPoint zero-day since 2024 - Cybernoz - Cybersecurity News
China-linked APT weaponized Dell RecoverPoint zero-day since 2024 Pierluigi Paganini February 18, 2026 A suspected Chinese state-linked group exploited a critical Dell RecoverPoint flaw (CVE-2026-22769) in zero-day attacks starting mid-2024. Mandiant and Google’s Threat Intelligence Group (GTIG) reported that a suspected China-linked APT group quietly exploited a critical zero-day flaw in Dell RecoverPoint for Virtual Machines st…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
