TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY THREAT INTELLIGENCE СLOUD SECURITY CYBERATTACKS & DATA BREACHES NEWS Dell's Hard-Coded Flaw: A Nation-State Goldmine A China-related attacker has exploited the vendor flaw since mid-2024, allowing it to move laterally, maintain persistent access, and deploy malware. Alexander Culafi,Senior News Writer, Dark Reading February 18, 2026 3 Min Read SOURCE: MIRA VIA ALAMY STOCK PHOTO A Chinese nation-state threat actor targeted a Dell hard-coded credential vulnerability for two years, emphasizing the danger of what happens when a product comes pre-compromised. Yesterday, Google Cloud's Mandiant detailed CVE-2026-22769, a CVSS 10 vulnerability, in Dell RecoverPoint for Virtual Machines, a data protection product sold by the tech giant. Researchers said suspected China-nexus threat cluster UNC6201 "has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including Slaystyle, Brickstorm, and a novel backdoor tracked as Grimbolt." Grimbolt is notable because, as Mandiant chief technology officer (CTO) Charles Carmakal wrote on LinkedIn, "This is a C# backdoor compiled using native ahead-of-time (AOT) compilation, making it harder to reverse engineer." The threat actor used the flaw to compromise Dell appliances and, in some cases, pivot to VMware virtual infrastructure. Though Google did not heavily dive into attacker motivations, UNC6201 historically has been known to conduct cyber espionage. Related:RMM Abuse Explodes as Hackers Ditch Malware What is most alarming about this campaign is the nature of the vulnerability. While analyzing compromised appliances, Mandiant identified Web requests using the "admin" username directed to the installed Apache Tomcat Manager, which is used to deploy a number of components in RecoverPoint. "After analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the admin user in /home/kos/tomcat9/tomcat-users.xml. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the /manager/text/deploy endpoint, and then execute commands as root on the appliance," the blog post read. According to Dell's advisory, CVE-2026-22769 is so dangerous because "an unauthenticated remote attacker with knowledge of the hard-coded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence." The company strongly recommends that affected customers upgrade to a fixed version of RecoverPoint for Virtual Machines (6.0.3.1 HF1) or follow instructions outlined in the advisory to run a remediation script. Persistence of Hard-Coded Credential Vulnerabilities CVE-2026-22769 represents one of the most extreme versions of a hard-coded credential flaw, where an attacker can use the keys that come with a product (to some extent) to walk right in the front door and potentially even gain root access. Related:Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks Neither Dell nor researchers have said exactly how or why these credentials were left in, though, based on Mandiant's research, it could involve a configuration oversight of some kind. Dark Reading contacted Dell for additional information. A spokesperson declined to address the issue but said in a statement, "We have received a report of limited active exploitation of this vulnerability." Mayuresh Dani, security research manager at Qualys's threat research unit, says CVE-2026-22769 looks like a classic case of an internal or support account "that was never properly removed or made configurable." "Hardcoded or default accounts are often used to bind internal components together during early development and then become hard to unbind or [are] forgotten once configuration and orchestration code depends on them," Dani tells Dark Reading. "Moreover, security testing efforts are often focused on customer-facing login flows, leaving internal admin endpoints like Tomcat Manager or 'localhost only' ports to get less consistent review. This problem is exacerbated especially in older codebases. Additionally, such solutions are usually patched at a slow pace, and often still carry legacy design sins like embedded credentials." Related:Automaker Secures the Supply Chain With Developer-Friendly Platform Hard-coded credential flaws aren't the most common type of vulnerability, but they do pop up regularly. As for why, it varies depending on the product and context. Sometimes credentials are left in product builds that are intended for internal use only (such as test environments) but make it into production. In some cases, it may be an issue that the team was aware of but did not fix due to deadlines and technical debt. Martin Jartelius, AI product director at security vendor Outpost24, tells Dark Reading that, in many cases, the oversight is the result of organizations not checking older codebases. "We have seen cases in the IoT/OT space where there are hidden default accounts," he says. "Essentially, the longer a codebase has been around, the more likely you are to encounter this problem." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models Healthcare Security: Protecting Patient Data and Clinical Operations More Webinars You May Also Like APPLICATION SECURITY Microsoft Drops Another Massive Patch Update by Jai Vijayan, Contributing Writer APR 08, 2025 APPLICATION SECURITY 'Lies-in-the-Loop' Attack Defeats AI Coding Agents by Elizabeth Montalbano, Contributing Writer SEP 15, 2025 APPLICATION SECURITY Self-Propagating GlassWorm Attacks VS Code Supply Chain by Elizabeth Montalbano, Contributing Writer OCT 20, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson, Contributing Writer FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan, Contributing Writer FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson, Contributing Writer FEB 12, 2026 5 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST Healthcare Security: Protecting Patient Data and Clinical Operations THURS, APRIL 9,2026 AT 1PM EST More Webinars White Papers The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use