Signal
Reports detail in-the-wild zero-day exploitation of dell RecoverPoint VM (CVE-2026-22769)
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-02-17 14:00 UTCUpdated 2026-02-18 03:00 UTC
rssx
cvezero_dayexploitation_in_the_wildthreat_actormalwareadvisory
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
Multiple reports describe active exploitation of high-severity, previously unknown vulnerabilities, led by a detailed disclosure of a Dell RecoverPoint for Virtual Machines zero-day (CVE-2026-22769) tied to a suspected PRC-nexus cluster (UNC6201). In parallel, a separate research note highlights exploitation of two Ivanti EPMM zero-days (CVE-2026-1281, CVE-2026-1340), underscoring continued attacker focus on enterprise infrastructure and management platforms.
Entities
DellGoogleMandiantIvantiRecoverPoint for Virtual MachinesApache TomcatBRICKSTORMGRIMBOLT
Score total
1.81
Momentum 24h
6
Posts
6
Origins
6
Source types
2
Duplicate ratio
17%
Why now
- New technical reporting details exploitation since mid-2024 and associated tooling/malware.
- NVD entry highlights affected versions and remediation urgency for Dell RecoverPoint VM.
- Unit 42 flags an active global exploitation campaign for Ivanti EPMM zero-days.
Why it matters
- CVE-2026-22769 is rated critical (CVSS 10.0) and described as enabling unauthorized access/persistence.
- Reporting ties exploitation to a suspected PRC-nexus cluster and malware evolution (BRICKSTORM to GRIMBOLT).
- Parallel Ivanti EPMM zero-day exploitation suggests broad pressure on enterprise management surfaces.
LLM analysis
Topic mix: mediumPromo risk: lowSource quality: high
Recurring claims
- UNC6201 has exploited Dell RecoverPoint for Virtual Machines zero-day CVE-2026-22769 since at least mid-2024.
- CVE-2026-22769 is a critical hardcoded-credential issue in Dell RecoverPoint for Virtual Machines, with Dell recommending upgrades/remediations.
How sources frame it
- Mandiant / Google Threat Intelligence Group: neutral
- NVD (via Vendor Advisory Summary): neutral
- Palo Alto Networks Unit 42: neutral
Cluster mixes two separate zero-day exploitation reports (Dell RecoverPoint VM and Ivanti EPMM). Narrative focuses on Dell; Ivanti noted as parallel activity.
All evidence
All evidence
Security Update for RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability
NCSC-FI - Vulnerabilities · nvd.nist.gov · 2026-02-18 03:00 UTC
Chinese hackers exploited a Dell zero-day for 18 months before anyone noticed
CyberScoop · cyberscoop.com · 2026-02-18 00:32 UTC
China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection
The Register Security · go.theregister.com · 2026-02-18 00:05 UTC
Chinese hackers exploiting Dell zero-day flaw since mid-2024
bleepingcomputer_all · bleepingcomputer.com · 2026-02-17 20:15 UTC
From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
Mandiant Blog · cloud.google.com · 2026-02-17 14:00 UTC
We detail exploitation of zero-day vulnerabilities CVE-2026-1281 and CVE-2026-1340 discovered in Ivanti EPMM. A global exploitation campaign is affecting multiple critical secto...
Unit42_Intel · unit42.paloaltonetworks.com · 2026-02-17 20:41 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- NCSC-FI - Vulnerabilities (1)
- CyberScoop (1)
- The Register Security (1)
- bleepingcomputer_all (1)
- Mandiant Blog (1)
- Unit42_Intel (1)
Top origin domains (this list)
- nvd.nist.gov (1)
- cyberscoop.com (1)
- go.theregister.com (1)
- bleepingcomputer.com (1)
- cloud.google.com (1)
- unit42.paloaltonetworks.com (1)