Dell Warns of RecoverPoint for VMs Zero-Day (Exploited Since Mid-2024)

The discovery of CVE‑2026‑22769 underscores how deeply embedded credentials can become a silent backdoor in enterprise storage solutions. RecoverPoint for Virtual Machines sits at the intersection of data protection and virtualization, making its management plane a high‑value target. By exploiting hard‑coded admin accounts in the Tomcat interface, threat actors can bypass traditional authentication, upload malicious code, and pivot to the ESXi hypervisor—a move that grants unrestricted access to every virtual machine on the host. This chain of compromise illustrates the broader risk of supply‑chain vulnerabilities in critical infrastructure software.

Google’s Threat Intelligence Group’s early detection of the exploit highlights the importance of external monitoring and information sharing. The fact that attackers have been leveraging the flaw since at least mid‑2024 suggests a long dwell period, during which they could have refined tools and established persistence. Organizations that rely on RecoverPoint without rigorous version control or network segmentation are especially exposed, as the vulnerability can be triggered from any reachable network segment. The active exploitation also serves as a reminder that zero‑day threats can surface in niche enterprise products, demanding vigilant patch management and threat‑intel integration.

Dell’s remediation path—upgrading to RecoverPoint 6.0.3.1 HF1, with prerequisite jumps for legacy versions—adds operational complexity but is non‑negotiable. Administrators should inventory all deployments, verify current build levels, and follow the staged upgrade sequence to avoid service disruption. Beyond patching, hardening the management interface by isolating it from general networks, enforcing multi‑factor authentication, and continuously monitoring upload logs will mitigate future attacks. Finally, a post‑patch forensic review of ESXi hosts is advisable to detect any lingering footholds, reinforcing a defense‑in‑depth posture for virtualized environments.