Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Hardcoded Tomcat Manager Credentials in Dell RecoverPoint for Virtual Machines

IdentifiersCVE-2026-22769CWE-798· Use of Hard-coded Credentials

CVE-2026-22769 is a critical use-of-hard-coded-credentials vulnerability in Dell RecoverPoint for Virtual Machines affecting versions prior to 6.0.3.1 HF1. The issue is caused by hardcoded administrative credentials for the integrated Apache Tomcat Manager, reported in Tomcat configuration files such as tomcat-users.xml on the appliance. An attacker with knowledge of the embedded credential can authenticate remotely to the Tomcat Manager interface and abuse the /manager/text/deploy endpoint to upload a malicious WAR archive. Observed exploitation deployed the SLAYSTYLE web shell, after which attackers were able to execute commands as root on the appliance. Reporting also indicates attackers established persistence by modifying legitimate startup-related scripts such as convert_hosts.sh, and then used the compromised appliance as a foothold for broader post-compromise activity.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can give an unauthenticated remote attacker unauthorized access to the underlying RecoverPoint for Virtual Machines appliance operating system with root-level code execution and persistence. In observed intrusions, attackers used this access to deploy web shells and backdoors including SLAYSTYLE, BRICKSTORM, and GRIMBOLT; move laterally; pivot into VMware and internal infrastructure; maintain long-term access; and potentially undermine backup and disaster recovery systems. Given the role of the product, compromise can affect confidentiality, integrity, and availability and may impair restoration capability during incident response or ransomware recovery.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, apply Dell’s remediation script from DSA-2026-079 as an urgent interim measure. Restrict RecoverPoint for Virtual Machines to trusted, access-controlled internal networks only; do not expose it to untrusted or public networks; and enforce firewalling and segmentation around the appliance. Monitor for suspicious access to Apache Tomcat Manager, especially requests to /manager and /manager/text/deploy, review Tomcat deployment directories and logs for unauthorized WAR deployment, inspect startup script modifications such as convert_hosts.sh, and hunt for known post-exploitation artifacts and malware associated with this activity. Because exploitation in the wild has been reported, organizations should assume possible prior compromise and validate appliance integrity and backup trustworthiness.

Remediation

Patch, then assume compromise.

Upgrade Dell RecoverPoint for Virtual Machines to version 6.0.3.1 HF1 or later. Dell also provided a vendor remediation script referenced in advisory DSA-2026-079 for cases where immediate upgrade is not possible. For older 5.3 releases, Dell indicates customers may need to first migrate or upgrade to a supported release before applying the final fixed version or remediation path. Because the vulnerability has been actively exploited as a zero-day, remediation should be paired with incident response review to determine whether compromise occurred prior to patching.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Dell TechnologiesRecoverpoint For Virtual Machinesapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

162 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

162 SOURCESView more in app
the hacker newsNews
Jun 8, 2026
VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances

A critical vulnerability in Dell RecoverPoint for Virtual Machines, rated CVSS 10.0, that was exploited as a zero-day by a suspected China-nexus threat cluster.

Read more
recorded future blogNews
Mar 12, 2026
February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January

A vulnerability in Dell RecoverPoint for VMs appliances that was exploited by UNC6201 to compromise appliances and deploy multiple post-exploitation payloads.

Read more
ahnlab asec blogNews
Mar 11, 2026
2026년 2월 APT 그룹 동향 보고서 - ASEC

Dell RecoverPoint for Virtual Machines 제로데이로, UNC6201이 이를 악용해 VMware 백업·복구 인프라를 침해하고 백도어를 배포해 복구 체계를 무력화한 취약점.

Read more
ahnlab asec blogNews
Mar 11, 2026
February 2026 APT Group Trends Report - ASEC

A zero-day vulnerability in Dell RecoverPoint for Virtual Machines exploited by UNC6201 to compromise VMware backup and recovery infrastructure.

Read more
+22 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence40

Every observed campaign linking this CVE to a named adversary.

Associated malware73

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity128

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22769
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22769
MITRE CWE · CWE-798
Use of Hard-coded Credentials
Patch
dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
Third Party Advisory
cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22769