![\"CISA](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/01\/13\/CISA--headpic.jpg\")
<\/p>\n<\/p>\n
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems within three days against a maximum-severity Dell vulnerability that has been under active exploitation since mid-2024.<\/p>\n
According to security researchers from Mandiant and the Google Threat Intelligence Group (GTIG), this hardcoded-credential vulnerability (CVE-2026-22769<\/a>) in Dell’s RecoverPoint (a solution used for VMware virtual machine backup and recovery) is being exploited by a suspected Chinese hacking group<\/a> tracked as UNC6201.<\/p>\n After gaining access to a victim’s network in CVE-2026-22769 attacks, UNC6201 deploys several malware payloads, including a newly identified backdoor called Grimbolt. This malware is built using a relatively new compilation technique that makes it harder to analyze than its predecessor, the Brickstorm<\/a> backdoor.<\/p>\n While the group swapped Brickstorm for Grimbolt in September 2025, it’s not yet clear whether this switch was part of a planned upgrade or “a reaction to incident response efforts led by Mandiant and other industry partners.”<\/p>\n “Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT,” they said.<\/p>\n The security researchers have also found overlaps between UNC6201 and the Silk Typhoon Chinese state-backed cyberespionage group (although the two are not considered identical by GTIG), also tracked as UNC5221 and known for exploiting Ivanti zero-days to target government agencies<\/a> with custom Spawnant<\/a> and Zipline<\/a> malware.<\/p>\n Silk Typhoon has previously breached the systems of several U.S. government agencies, including the U.S. Treasury Department<\/a>, the Office of Foreign Assets Control (OFAC)<\/a>, and the Committee on Foreign Investment in the United States (CFIUS)<\/a>.<\/p>\n CISA has now added<\/a> the security flaw to its Known Exploited Vulnerabilities (KEV) catalog<\/a> on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.<\/p>\n “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned<\/a> on Wednesday. <\/p>\n “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”<\/p>\n Last week, CISA also gave U.S. federal agencies three days to secure their BeyondTrust Remote Support instances<\/a> against an actively exploited remote code execution vulnerability (CVE-2026-1731<\/a>).<\/p>\n Hacktron, which reported the vulnerability on January 31, warned in early February<\/a> that around 11,000 BeyondTrust Remote Support instances were exposed online, and that around 8,500 were on-premises deployments that required manual patching.<\/span><\/p>\n ![\"CISA](\"https:\/\/www.bleepstatic.com\/c\/w\/ai-security-board-report-template.jpg\")
<\/a> <\/div>\nFeds ordered to prioritize CVE-2026-22769 patches<\/h2>\n