Dell RecoverPoint Hardcoded Credential Flaw: Why Backup Infrastructure Is Now a Prime Attack Surface

A newly disclosed flaw in Dell RecoverPoint for Virtual Machines is a reminder that attackers do not need flashy zero-days in public-facing apps to create serious business risk. Sometimes the most dangerous weakness is simpler: a hardcoded credential embedded in infrastructure software that defenders assume is trusted.

Dell disclosed CVE-2026-22769 on February 17, 2026. The issue affects RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 and carries a CVSS 10.0 score. Dell says an unauthenticated remote attacker with knowledge of the hardcoded credential could gain unauthorized access to the underlying operating system and establish root-level persistence.

According to Google Threat Intelligence Group and Mandiant, the flaw has been exploited since at least mid-2024 by UNC6201, a suspected PRC-nexus threat cluster. In incident response engagements, the actor used the vulnerability to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a newer backdoor called GRIMBOLT.

Dark Reading’s coverage captures the deeper concern: this was not just another patchable bug. It was effectively a pre-positioned trust failure inside a data protection product. The publication notes that the actor used the flaw to compromise Dell appliances and, in some cases, pivot into VMware virtual infrastructure.

The Real Problem: Trusted Infrastructure Can Become a Hidden Entry Point

Backup, recovery, and replication systems are often treated as operational necessities rather than active cyber-risk assets. That mindset is dangerous.

Platforms like RecoverPoint sit close to critical workloads, privileged systems, storage operations, and virtualization layers. When a product in that position contains a hardcoded credential, the attacker is not just exploiting software. The attacker is inheriting trust. In this case, Dark Reading reported that researchers found hardcoded default credentials for the Tomcat Manager admin user, creating a path to upload a malicious WAR file and execute commands as root on the appliance.

From an InfoSight perspective, this incident reinforces a core reality: cyber risk is not confined to endpoints, users, or internet-facing applications. It extends into the operational platforms organizations rely on for resilience. If a recovery platform can be compromised, the systems intended to support recovery can become part of the attack chain.

Why This Matters to Security Leaders

This flaw matters because it combines four conditions that make security events harder to detect and more damaging when missed.

First, it exists in infrastructure that many organizations implicitly trust. Second, it allows high privilege with low attacker friction. Third, it affects appliances that may not have traditional EDR coverage. Fourth, it creates a bridge into adjacent systems such as VMware environments. Mandiant specifically reported that UNC6201 used novel techniques, including “Ghost NICs,” to pivot more stealthily into virtual infrastructure.

That combination turns a single product flaw into a broader exposure-management problem.

For security and IT leaders, the lesson is direct: asset criticality is not just about business function. It is also about how much inherited trust and lateral movement potential a platform carries once compromised.

The InfoSight Take: This Is a Risk Governance Failure, Not Just a Patching Issue

It is easy to reduce this story to “apply the update.” That is necessary, but incomplete.

Yes, Dell strongly recommends upgrading to RecoverPoint for Virtual Machines 6.0.3.1 HF1 or applying the remediation script. That is the immediate action.

But the larger issue is governance over trusted technology:

Was the appliance inventoried and classified as a high-risk asset?

Was its management interface segmented and tightly access-controlled?

Was privileged software in the environment validated for insecure defaults?

Was there monitoring around unusual administrative access, web deployment activity, or virtualization pivots?

Was the backup and recovery stack included in vulnerability prioritization and threat hunting, or treated as a blind spot?

Dell’s own advisory states RecoverPoint for Virtual Machines should be deployed only within a trusted, access-controlled internal network protected by firewalls and segmentation, and not on untrusted or public networks. That guidance matters because “internal” is not the same as “safe” once an attacker lands inside.

What Organizations Should Do Now

Organizations using Dell RecoverPoint for Virtual Machines should act on two tracks simultaneously: remediation and validation.

Remediation means identifying affected versions, upgrading to 6.0.3.1 HF1 where possible, or applying Dell’s remediation steps immediately. Dell also notes that versions 5.3 SP4, 5.3 SP3, 5.3 SP2, and potentially earlier versions may be impacted, which widens the scope of review.

Validation means assuming the platform may already have been exposed and verifying accordingly:

Review administrative access and appliance logs

Investigate unexpected deployment activity in Tomcat-related components

Hunt for persistence mechanisms and unauthorized changes

Inspect VMware-connected systems for signs of lateral movement

Reassess segmentation around backup, recovery, and replication infrastructure

Elevate backup appliances into ongoing risk scoring and continuous monitoring

This is where security programs often break down. They patch the known issue but fail to reassess the control assumptions that allowed the issue to remain high impact for so long.

A Broader Security Lesson: Resilience Platforms Must Be Defended Like Crown-Jewel Systems

The systems designed to preserve availability during incidents are now attractive targets in their own right.

Attackers understand that backup and recovery infrastructure can provide privileged access, operational leverage, and persistence opportunities. When those platforms are weak, the business impact extends beyond a compromised appliance. It can degrade response, delay recovery, and increase confidence gaps during an active incident.

That makes this more than an application-security story. It is a cyber-risk management story. Security leaders should treat backup, recovery, identity, virtualization, and management-plane systems as high-value exposure zones that require the same scrutiny applied to other critical assets.

Final Takeaway

The Dell RecoverPoint flaw is a warning against misplaced trust in internal infrastructure. A hardcoded credential in a trusted platform created a path for long-term access, stealthy movement, and deeper compromise.

At InfoSight, the takeaway is clear: organizations need more than patching. They need continuous visibility into where trust is concentrated, where legacy design decisions create exposure, and where remediation will reduce real business risk fastest.

If security teams still treat backup and recovery platforms as operational tools instead of critical attack-surface assets, they will keep discovering risk only after attackers do.