CVE-2026-22769: Dell RecoverPoint Zero-Day Exploited by China Since 2024 — CVSS 10.0

A Hardcoded Password. Root Access. Two Years Undetected. Dell shipped a backup product with an admin password hardcoded in a config file. Chinese state hackers found it in mid-2024 and have been quietly exploiting it ever since. CVE-2026-22769 affects Dell RecoverPoint for Virtual Machines — the software organizations trust to protect their VMware infrastructure. CVSS score: 10.0 . Maximum severity. CISA added it to the Known Exploited Vulnerabilities catalog with a 3-day patch deadline for federal agencies. The threat actor, tracked as UNC6201 by Google's Threat Intelligence Group (GTIG), deployed three custom malware families and invented a novel lateral movement technique using ephemeral virtual network interfaces. The Vulnerability: Password in a Config File Dell RecoverPoint for VMs ships with Apache Tomcat as its web management interface. The admin credentials were hardcoded in: /home/kos/tomcat9/tomcat-users.xml Username: admin . Password: hardcoded. This grants full access to t