Dell has released an urgent security update for RecoverPoint for Virtual Machines after confirming active exploitation of a critical vulnerability that could allow attackers to gain root-level access to affected systems.
The flaw, tracked as CVE-2026-22769, involves hardcoded credentials embedded in RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1. An unauthenticated remote attacker with knowledge of the credentials could exploit the issue to gain unauthorized access to the underlying operating system and establish persistent control. The vulnerability carries a CVSS score of 10.0, the highest possible severity rating, and customers running affected versions are strongly advised to apply remediation steps immediately.
According to the advisory, the vulnerability exists in the Apache Tomcat Manager component used by RecoverPoint for Virtual Machines. The hardcoded credentials allowed attackers to authenticate as an administrative user and deploy malicious web application files, ultimately enabling command execution as root on the appliance.
Dell confirmed that the issue was reported by Google Mandiant and that limited active exploitation has been observed in the wild.
Google’s Threat Intelligence Group and Mandiant reported that the vulnerability has been exploited to maintain long-term access to affected systems, move laterally within compromised environments, and deploy custom backdoor tooling designed to evade detection and persist across system reboots.
In several observed cases, compromised RecoverPoint appliances were used as entry points into VMware virtual infrastructure. Attackers were observed modifying legitimate startup scripts, creating temporary network interfaces, and selectively filtering network traffic to conceal malicious activity while maintaining access.
Dell stated that RecoverPoint for Virtual Machines is intended for use only within trusted, access-controlled internal networks and shouldn’t be exposed to untrusted or public environments. Other Dell products including RecoverPoint Classic are not affected.
The confirmed real-world exploitation makes this vulnerability a high-priority security concern.
Users are recommended to upgrade to RecoverPoint for Virtual Machines version 6.0.3.1 HF1 or apply the official remediation script provided in Dell’s Knowledge Base. Older releases should first be upgraded to a supported version before remediation is applied.
Organizations running RecoverPoint for Virtual Machines are encouraged to review their environments for indicators of compromise and apply the recommended updates as soon as possible.
Leave a Reply