CISA Gives Feds 3 Days to Patch Critical Dell Vulnerability
▼ Summary
– CISA ordered U.S. government agencies to patch a critical Dell vulnerability (CVE-2026-22769) within three days due to active exploitation.
– The flaw in Dell’s RecoverPoint is being exploited by UNC6201, a suspected Chinese hacking group, to deploy malware including the new Grimbolt backdoor.
– UNC6201 has used this access since mid-2024 to move laterally and maintain persistence, with possible links to the known Silk Typhoon espionage group.
– CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies apply patches or discontinue use of the product.
– This follows another recent CISA directive giving agencies three days to patch an exploited vulnerability in BeyondTrust Remote Support.
Federal agencies have been directed to immediately address a critical security flaw in Dell software, with a strict three-day deadline issued by the nation’s top cybersecurity authority. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated that government systems be patched against a maximum-severity Dell vulnerability that is under active attack. This urgent order highlights the serious risk posed by a weakness that hackers have been exploiting for months.
Security experts from Mandiant and Google’s Threat Intelligence Group have linked the exploitation to a suspected Chinese cyberespionage operation tracked as UNC6201. The group is taking advantage of a hardcoded-credential flaw, identified as CVE-2026-22769, within Dell’s RecoverPoint solution. This product is commonly used for backing up and recovering VMware virtual machines. After breaching a network, the attackers deploy a suite of malicious tools to maintain access and move laterally.
A key component of their recent activity is a newly identified backdoor called Grimbolt. This malware represents a technical evolution, built with a compilation technique that makes analysis more difficult for defenders. It appears to have replaced an older backdoor known as Brickstorm, though researchers are unsure if this switch was a routine upgrade or a direct response to security teams disrupting their operations.
Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware, the researchers stated. Investigators have also noted connections between this group and another known Chinese state-backed hacking collective, Silk Typhoon. While not identical, the overlap suggests shared tactics or infrastructure. Silk Typhoon, also tracked as UNC5221, is infamous for previous breaches of U.S. government systems, including agencies like the Treasury Department.
In response to the active threats, CISA has placed this Dell vulnerability on its Known Exploited Vulnerabilities list. The directive orders Federal Civilian Executive Branch agencies to apply necessary patches or mitigations by the end of the upcoming Saturday. CISA emphasized that such flaws are common entry points for malicious actors and represent a substantial risk to federal networks. Agencies are instructed to follow vendor guidance, apply relevant cloud security protocols, or stop using the product if no fix is available.
This urgent patching order follows a similar recent mandate from CISA concerning a different widely exploited vulnerability in BeyondTrust Remote Support software, underscoring the persistent pressure on federal IT teams to rapidly secure their systems against ongoing threats.
(Source: Bleeping Computer)
