Threat actors are weaponizing a zero-day vulnerability in Dell RecoverPoint for Virtual Machines in a cyberattack campaign that drops a novel backdoor, according to new findings from Mandiant and Google Threat Intelligence Group. 

The product allows users to manage backup and disaster recovery for VMware virtual machines. 

The vulnerability, listed as CVE-2026-22769, is a hardcoded credential vulnerability that can allow an unauthenticated attacker to gain access to an underlying system and maintain root-level persistence. The vulnerability has a severity score of 10. 

A threat actor Google tracks as UNC6201 has been using the flaw in attacks since at least 2024, with the ability to maintain persistent access, move laterally and deploy Brickstone, Slaystyle and a novel backdoor called Grimbolt. 

Brickstone is a backdoor written in Go that is used to target VMware vCenter servers, according to researchers. 

In these newly disclosed attacks, UNC6201 has replaced Brickstone malware with Gribolt, a backdoor that is more difficult to detect. 

“This is a C# backdoor compiled using native ahead-of-time compilation, making it harder to reverse engineer,” Charles Carmakal, CTO and board advisor, Mandiant Consulting, said in a LinkedIn post. 

Mandiant discovered the vulnerability while investigating multiple instances of Dell RecoverPoint for VirtualMachines within a victim’s environment, according to Austin Larsen, principal threat analyst at GTIG. 

Larsen said they are aware of less than a dozen impacted organizations, but warned that organizations previously targeted by Brickstorm should check for Grimbolt in their environments.  

Dell, meanwhile, is urging customers to upgrade and apply mitigations it has provided in a new advisory. 

“We have received a report of limited active exploitation of this vulnerability,” a spokesperson for Dell told Cybersecurity Dive.

The company urged customers to immediately implement one of the remediations detailed in the security advisory.