A significant security vulnerability in Dell RecoverPoint for Virtual Machines has been actively exploited by attackers believed to be linked to China since at least mid-2024. This zero-day flaw, identified as CVE-2026-22769, involves hardcoded credentials that allow unauthorized access to affected systems.
Details of the Exploit
The exploitation of this vulnerability is part of a broader campaign known as Brickstorm, which aims to backdoor infected machines for sustained access. According to the Mandiant incident response team, the attackers have been using this flaw to deploy various types of malware, including Brickstorm and a newer backdoor named Grimbolt.
Impact and Scope
While Dell has acknowledged the existence of this flaw and issued a patch, the full extent of the infections remains unclear. A spokesperson from Dell confirmed that there has been limited active exploitation of this vulnerability. Mandiant reports that they are aware of “less than a dozen” organizations affected by CVE-2026-22769, but the overall scale of the campaign is still unknown.
Technical Aspects of the Malware
The earlier iterations of the Brickstorm malware were developed in Go and Rust, but these have been replaced by Grimbolt, which is written in C#. This new malware utilizes advanced techniques such as native ahead-of-time (AOT) compilation and UPX compression, making it less detectable by static analysis methods. Both Brickstorm and Grimbolt maintain similar command and control infrastructures and provide remote shell capabilities.
Recommendations for Organizations
Organizations that have previously been targeted by Brickstorm are advised to remain vigilant for signs of Grimbolt within their environments. Dell has urged customers to implement the remediations detailed in their advisory to mitigate the risks associated with this vulnerability.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
