Chinese State-Backed Hackers Exploit Dell Zero-Day Since Mid-2024

A suspected Chinese state-backed hacking group, UNC6201, has been exploiting a critical hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines as a zero-day since mid-2024. This vulnerability allowed unauthorized access and root-level persistence on affected systems. The attackers deployed new backdoor malware called Grimbolt and used novel techniques like 'Ghost NICs' on VMware ESXi servers to maintain stealth and persistence. The prolonged exploitation period before discovery highlights the sophistication of the threat actor and the challenges in detecting advanced persistent threats (APTs) in virtualized environments. Organizations using Dell RecoverPoint should immediately apply available patches, conduct thorough security audits of their virtual infrastructure, review access logs for suspicious activity, and implement network segmentation to limit lateral movement. The use of hardcoded credentials in enterprise software remains a critical security weakness that vendors must address through secure development practices.