INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Dell Zero-Day Exploit Vulnerability Patch Deadline
| 2026-02-19 15:30 CRITICAL HIGHExecutive Summary AI-generated
The Silk Typhoon cyberespionage group has been linked to a hardcoded-credential vulnerability in Dell's RecoverPoint solution, exploited by Chinese hackers since at least mid-2024. The attack is believed to have breached the systems of several U.S. government agencies, including the Treasury Department and CFIUS. In response, the US Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch their systems within three days against this vulnerability. This incident highlights the ongoing threat posed by state-backed cyberespionage groups like Silk Typhoon, which have been exploiting vulnerabilities in various industries for years.
Technical Mitigations AI-generated
* Implement a patch for Dell's hardcoded-credential vulnerability (CVE-2026-22769) within three days of the discovery to prevent exploitation by suspected Chinese hacking groups.
* Follow vendor instructions and apply patches or mitigation measures as required, especially when using cloud services that may be vulnerable to this attack vector.
* Discontinue use of affected products with maximum-severity vulnerabilities if mitigations are unavailable, and prioritize patching for critical systems such as BeyondTrust Remote Support instances against CVE-2026-1731.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-22769CVE-2026-22769
CVE-2026-1731CVE-2026-1731
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
legallegal
governmentgovernment
technologytechnology
manufacturingmanufacturing
Incident Timeline
mid-2024
Chinese hackers exploited a Dell zero-day flaw since mid-2024.
Click on any entity below to view its context and source!
industry
Government
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems within three days against a maximum-severity Dell vulnerability that has been under active exploitation since mid-2024.
attribution
Dell
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems within three days against a maximum-severity Dell vulnerability that has been under active exploitation since mid-2024.
A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024.
source_region
China
Chinese hackers exploiting Dell zero-day flaw since mid-2024.
A suspected Chinese state-backed hacking group has been quietly exploiting a critical Dell security flaw in zero-day attacks that started in mid-2024.
April 2024
The Chinese hacking group Warp Panda linked to the UNC5221 Dell flaw used Brickstorm malware attacks on VMware vCenter servers of multiple US organizations.
Click on any entity below to view its context and source!
source_region
China
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
source_region
United States
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
industry
Legal
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
industry
Technology
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
industry
Manufacturing
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
organisation
Google
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
organisation
CrowdStrike
GTIG
added in September
that UNC5221 hackers used Brickstorm (first documented by Google subsidiary Mandiant
in April 2024
) to gain long-term persistence on the networks of multiple U.S. organizations in the legal and technology sectors, while CrowdStrike has
linked Brickstorm malware attacks
targeting VMware vCenter servers of legal, technology, and manufacturing companies in the United States to a Chinese hacking group it tracks as Warp Panda.
September 2025
Threat actors used Dell's UNC6201 flaw to target government agencies.
Click on any entity below to view its context and source!
organisation
Brickstorm for Grimbolt
While the group swapped Brickstorm for Grimbolt in September 2025, it's not yet clear whether this switch was part of a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners.
While the researchers have observed the group swapping out Brickstorm for Grimbolt in September 2025, it remains unclear whether the switch was a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners.
infrastructure
Ivanti
The security researchers have also found overlaps between UNC6201 and the Silk Typhoon Chinese state-backed cyberespionage group (although the two are not considered identical by GTIG), also tracked as UNC5221 and known for exploiting Ivanti zero-days to
target government agencies
with custom
Spawnant
and
Zipline
malware.
organisation
Grimbolt
"
"Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT," they said.
organisation
BOD
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
organisation
Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation
Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
January 31
Hacktron reported the vulnerability on January 31 and ordered CISA to patch it within three days.
Click on any entity below to view its context and source!
organisation
Hacktron
Hacktron, which reported the vulnerability on January 31,
warned in early February
that around 11,000 BeyondTrust Remote Support instances were exposed online, and that around 8,500 were on-premises deployments that required manual patching.
organisation
BeyondTrust Remote Support
Hacktron, which reported the vulnerability on January 31,
warned in early February
that around 11,000 BeyondTrust Remote Support instances were exposed online, and that around 8,500 were on-premises deployments that required manual patching.
general_metric
11,000 Support instances
Hacktron, which reported the vulnerability on January 31,
warned in early February
that around 11,000 BeyondTrust Remote Support instances were exposed online, and that around 8,500 were on-premises deployments that required manual patching.
general_metric
8,500 instances
Hacktron, which reported the vulnerability on January 31,
warned in early February
that around 11,000 BeyondTrust Remote Support instances were exposed online, and that around 8,500 were on-premises deployments that required manual patching.
2026-02-12
The U.S. federal agencies were ordered to patch the actively exploited Dell flaw, CVE-2026-1731, within three days by CISA on February 12, 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-1731
"
Last week, CISA also gave U.S. federal agencies three days to
secure their BeyondTrust Remote Support instances
against an actively exploited remote code execution vulnerability (
CVE-2026-1731
).
tactic
Remote Code Execution
"
Last week, CISA also gave U.S. federal agencies three days to
secure their BeyondTrust Remote Support instances
against an actively exploited remote code execution vulnerability (
CVE-2026-1731
).
attribution
CISA
"
Last week, CISA also gave U.S. federal agencies three days to
secure their BeyondTrust Remote Support instances
against an actively exploited remote code execution vulnerability (
CVE-2026-1731
).
2026-02-17
Threat actors used a maximum-severity hardcoded-credential vulnerability in Dell RecoverPoint for Virtual Machines to exploit the UNC6201 group.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-22769
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
attribution
Mandiant
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
attribution
the Google Threat Intelligence Group
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
attribution
VMware
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
attribution
UNC6201
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
attribution
Dell RecoverPoint
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
attribution
Virtual Machines
Security researchers from Mandiant and the Google Threat Intelligence Group (GTIG)
revealed today
that the UNC6201 group exploited a maximum-severity hardcoded-credential vulnerability (tracked as
CVE-2026-22769
) in Dell RecoverPoint for Virtual Machines, a solution used for VMware virtual machine backup and recovery.
2026-02-19
The attackers used Dell's RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, containing a hardcoded credential vulnerability (CVE-2026-22769) within three days of the CISA order.
Click on any entity below to view its context and source!
infrastructure
Ivanti
The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to
target government agencies
with custom
Spawnant
and
Zipline
malware and previously linked to the notorious Silk Typhoon Chinese state-backed threat group (although the two are not considered identical by GTIG).
organisation
Grimbolt
After gaining access to a victim's network in CVE-2026-22769 attacks, UNC6201 deploys several malware payloads, including a newly identified backdoor called Grimbolt.
Once inside a victim's network, UNC6201 deployed several malware payloads, including newly identified backdoor malware called Grimbolt.
infrastructure
6.0.3
"Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability,"
Dell explains
in a security advisory published on Tuesday.
organisation
VMware
"
Targeting VMware ESXi servers
The attackers also used novel techniques to burrow deeper into victims' virtualized infrastructure, including creating hidden network interfaces (so-called Ghost NICs) on VMware ESXi servers to move stealthily across victims' networks.
organisation
Mandiant
"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant communications manager Mark Karayan told BleepingComputer.
organisation
BleepingComputer
"UNC6201 uses temporary virtual network ports (AKA "Ghost NICs") to pivot from compromised VMs into internal or SaaS environments, a new technique that Mandiant has not observed before in their investigations," Mandiant communications manager Mark Karayan told BleepingComputer.
organisation
BRICKSTORM
"Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods.
organisation
EDR
"Consistent with the earlier BRICKSTORM campaign, UNC6201 continues to target appliances that typically lack traditional endpoint detection and response (EDR) agents to remain undetected for long periods.
the end of Saturday, February 21
Feds ordered to prioritize CVE-2026-22769 patches by the end of Saturday, February 21.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-22769
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
attribution
CVE-2026
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
attribution
Known Exploited
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
tactic
T1588.006 - Vulnerabilities
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
attribution
KEV
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
attribution
Federal Civilian Executive Branch
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
attribution
FCEB
Feds ordered to prioritize CVE-2026-22769 patches
CISA has now
added
the security flaw to its
Known Exploited Vulnerabilities (KEV) catalog
on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.
Tactical Metrics
Metrics
infrastructure
Ivanti
Affected Product
Click for context!
The security researchers have also found overlaps between UNC6201 and the Silk Typhoon Chinese state-backed cyberespionage group (although the two are not considered identical by GTIG), also tracked as UNC5221 and known for exploiting Ivanti zero-days to
target government agencies
with custom
Spawnant
and
Zipline
malware.
The researchers have found overlaps between UNC6201 and a separate Chinese threat cluster, UNC5221, known for exploiting Ivanti zero-days to
target government agencies
with custom
Spawnant
and
Zipline
malware and previously linked to the notorious Silk Typhoon Chinese state-backed threat group (although the two are not considered identical by GTIG).
Metrics
infrastructure
6.0.3
Software Version
"Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability,"
Dell explains
in a security advisory published on Tuesday.
Intelligence Sources
BleepingComputer
2026-02-17
Chinese hackers exploiting Dell zero-day flaw since mid-2024
BleepingComputer
BleepingComputer
2026-02-19
CISA orders feds to patch actively exploited Dell flaw within 3 days
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T07:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
19x
attribution
Attributing Entity
Silk Typhoon
authority
15x
organisation
Identified Entity
Grimbolt
entity
9x
timeline
Temporal Reference
mid-2024
date
4x
industry
Targeted Sector
Government
sector
2x
source region
Origin Country
China
country
2x
vulnerability
Exploited CVE
CVE-2026-22769
cve
Contextual Telemetry
Context Block
7 METRICS
target region
Target Country
United States
country
infrastructure
Affected Product
Ivanti
software
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
tactic
Cyber Operation Type
Remote Code Execution
tactic
general metric
Support Instances
11,000
support instances
general metric
Instances
8,500
instances
infrastructure
Software Version
6.0.3
version
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.