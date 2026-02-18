Dell patched critical flaw in RecoverPoint for Virtual Machines caused by hardcoded credentials

Exploited as a zero-day since mid-2024 by Chinese state-sponsored group UNC6201

Attackers deployed new Grimbolt backdoor and used novel “Ghost NICs” technique for stealth and lateral movement

Chinese state-sponsored threat actors have been abusing a rather embarrassing vulnerability in a Dell product for nearly two years, experts have claimed.

In a security advisory, Dell said its RecoverPoint for Virtual Machines contained a hardcoded credential flaw.

RecoverPoint for Virtual Machines (RP4VM) is a data protection and disaster recovery solution designed for virtualized environments, primarily VMware vSphere and Microsoft Hyper-V. As it was being built, a developer left login credentials in the code, most likely to be able to quickly log in and test the product.

Limited active exploitation

Usually, developers would sift through the code before shipping the product and remove all traces of hardcoded credentials. However, sometimes they are forgotten, or left unchecked, leaving a gaping hole for cybercriminals to exploit.

Now, Dell says that all versions prior to 6.0.3.1 HF1 contained hardcoded credentials - a critical vulnerability because “an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.”

To make matters worse, security researchers from Google and Mandiant have warned Dell of “limited active exploitation” of the flaw. The two companies are saying that the bug was being exploited, as a zero-day, since mid-2024, meaning they were using it for more than a year and a half.

The group apparently exploiting this bug is tracked as UNC6201. This is not a widely recognized group, such as APT41 or Silk Typhoon, but they are equally as dangerous. In fact, the researchers said the group deployed multiple malware payloads, including a brand-new backdoor called Grimbolt, built in C# using a new compilation technique that made it faster and harder to reverse-engineer than its previous tools.

Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

The researchers also said UNC6201 used new techniques for lateral movement and stealth:

"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant told BleepingComputer. "Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods."

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.