Summary
Due to hardcoded credentials in the Apache Tomcat Manager configuration, CVE-2026-22769 is a severe vulnerability in Dell RecoverPoint for Virtual Machines that enables an unauthenticated remote attacker to obtain root-level access and run commands on the system. The China-affiliated threat organization UNC6201 has been actively exploiting the vulnerability since at least mid-2024. They have used it to create persistence, construct web shells and backdoors, and move laterally across VMware systems. Because it affects versions older than 6.0.3.1 HF1, it must be fixed right away to avoid complete system compromise and long-term undiscovered access.
Urgent Actions Required
- Upgrade to Dell RecoverPoint for Virtual Machines 6.0.3.1 HF1 or later immediately.
- Apply Dell’s remediation script if an upgrade cannot be performed right away.
- Review Tomcat audit logs for suspicious requests to /manager endpoints.
- Check for unknown WAR files in Tomcat directories and investigate any unauthorized deployments.
- Inspect system scripts such as convert_hosts.sh for unauthorized modifications indicating persistence.
- Monitor for indicators of compromise, including suspicious network activity and known malicious IPs.
Which Systems Are Vulnerable to CVE-2026-22769?
Technical Overview
- Vulnerability Type: Use of Hard-coded Credentials (CWE-798) in Apache Tomcat Manager configuration
- Affected Software/Versions:
Dell RecoverPoint for Virtual Machines versions prior to 6.0.3.1 HF1 (including 5.3 SP4 P1 and multiple 6.0 variants such as SP1, SP2, SP3 and related patch levels) - CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
DSA-2026-079: Security Update for RecoverPoint for Virtual Machines Hardcoded Credential Vulnerability | Dell India
How Does the CVE-2026-22769 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-22769?
Vulnerability Root Cause:
This flaw is due to hardcoded credentials in the Apache Tomcat Manager config, allowing attackers to log in remotely without valid credentials and gain full system access.
How Can You Mitigate CVE-2026-22769?
If immediate patching is delayed or not possible:
- Limit access to RecoverPoint management interfaces to trusted networks only.
- Block any internet exposure of the appliance.
- Restrict or disable access to the Tomcat Manager interface.
- Monitor logs for unusual /manager access or WAR file uploads.
- Check for suspicious files or web shells in Tomcat directories.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Dell RecoverPoint for Virtual Machines appliances - Vulnerable versions prior to 6.0.3.1 HF1
- Apache Tomcat Manager component - Used for management and deployment within the appliance
- VMware-integrated environments - Systems connected to vCenter and ESXi through RecoverPoint
- Business-Critical Systems at Risk:
- Disaster recovery infrastructure - Systems responsible for backup and replication operations
- Virtual machine environments - Access to replicated workloads and associated data
- vCenter and ESXi management layers - Due to trusted integration with RecoverPoint
- Exposure Level:
- Internet-facing RecoverPoint instances - Highly exposed if management interfaces are publicly accessible
- Internal infrastructure appliances - Still at risk due to trusted network placement and broad access privileges
- Environments with weak access controls - Increased risk if management interfaces are not restricted to authorized users only
Will Patching CVE-2026-22769 Cause Downtime?
Patch application impact: May require planned downtime during upgrade to version 6.0.3.1 HF1 or when applying remediation.
Mitigation (if immediate patching is not possible): Limit access to management interfaces and avoid internet exposure. This reduces risk but does not fix the issue.
How Can You Detect CVE-2026-22769 Exploitation?
Exploitation Signatures:
Look for access to Apache Tomcat Manager endpoints such as /manager/html or /manager/text/deploy, especially successful logins using default or unexpected credentials and WAR file upload activity.
MITRE ATT&CK Mapping:
Indicators of Compromise (IOCs/IOAs):
- Requests to /manager/html or /manager/text/deploy from unknown sources
- Presence of suspicious WAR files in Tomcat directories (e.g., /var/lib/tomcat9, /webapps)
- Files or activity linked to SLAYSTYLE, BRICKSTORM, or GRIMBOLT malware
- Connections to known C2 IP address 149.248.11.71
Behavioral Indicators:
- Unexpected WAR deployments or new applications in Tomcat
- Execution of commands via web shell on the appliance
- Modification of startup scripts or system files for persistence
- Creation of unusual virtual network interfaces (“Ghost NICs”)
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Access to Tomcat Manager endpoints from untrusted sources
- WAR file uploads or deployments
- Outbound connections to suspicious IPs or unusual ports
- Unauthorized changes to system files or configurations
Remediation & Response
- Remediation Timeline:
- Immediate: Apply Dell’s remediation or restrict access to management interfaces and remove internet exposure.
- As soon as possible: Upgrade to version 6.0.3.1 HF1.
- Post-patch: Verify all systems are updated and no vulnerable versions remain.
- Rollback Plan:
If issues occur after upgrading, revert to the previous version and reapply access restrictions to limit exposure. - Incident Response Considerations:
- Assume compromise and inspect systems for unauthorized access or malicious deployments.
- Review Tomcat logs for access to /manager endpoints or WAR file uploads.
- Check for suspicious files, web shells, or modified system components.
- Investigate related VMware environments for signs of lateral movement or unusual network activity.
Compliance & Governance Notes
- CVE-2026-22769 is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring immediate remediation or mitigation as per vendor guidance.
- Follow CISA BOD 22-01 recommendations, including applying patches or discontinuing use if remediation is not possible.
- Monitor and review logs for access to Tomcat Manager endpoints such as /manager/html and /manager/text/deploy.
- Track and document remediation actions, including upgrades to version 6.0.3.1 HF1 or application of vendor fixes.
- Restrict access to management interfaces and ensure they are not exposed to untrusted or public networks.
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 10.0 | Critical severity indicating maximum impact and ease of exploitation |
| Attack Vector | Network | Can be exploited remotely over network-exposed management interfaces |
| Exploitation is straightforward with crafted input | Low | No special conditions required for successful exploitation |
| Privileges Required | None | Does not require authentication before exploitation |
| User Interaction | None | No user involvement needed |
| Scope | Changed | Compromise can impact systems beyond the vulnerable component |
| Confidentiality Impact | High | Full access to sensitive data, including backups and configurations |
| Integrity Impact | High | Ability to alter system configurations and backup data |
| Availability Impact | High | Can disrupt or disable recovery and replication services |
References:
