好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求是直接写文章描述,不需要以“文章内容总结”或“这篇文章”开头。 首先,我快速浏览文章内容。文章主要讲美国CISA机构将Dell RecoverPoint和GitLab的漏洞加入其已知被利用的漏洞目录。具体提到了两个CVE编号:CVE-2021-22175是GitLab的SSRF漏洞,CVE-2026-22769是Dell RecoverPoint的硬编码凭据漏洞。CISA要求相关机构在特定日期前修复这些漏洞。 接下来,我需要提取关键信息:CISA、加入漏洞目录、GitLab和Dell RecoverPoint的具体漏洞、修复期限。然后,用简洁的语言把这些信息整合起来,确保不超过100字。 可能会遇到的问题是如何在有限字数内涵盖所有重要点。可能需要省略一些细节,比如漏洞的技术细节或攻击影响,只保留主要行动项和截止日期。 最后,检查总结是否符合要求:直接描述内容,不使用特定开头,并且字数控制得当。 </think> 美国网络安全和基础设施安全局(CISA)将戴尔RecoverPoint和GitLab的漏洞加入已知被利用漏洞目录。GitLab存在SSRF漏洞(CVE-2021-22175),攻击者可借此发起网络攻击;戴尔RecoverPoint因硬编码凭据问题(CVE-2026-22769)被用于恶意活动。CISA要求联邦机构分别于2月21日和3月11日前修复相关漏洞。 2026-2-19 15:16:39 Author: securityaffairs.com(查看原文) 阅读量:6 收藏
U.S. CISA adds Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
February 19, 2026
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2021-22175 (CVSS score 6.8) GitLab Server-Side Request Forgery (SSRF) Vulnerability
- CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
The first vulnerability added to the catalog is a server-side request forgery (SSRF) issue in GitLab, tracked as CVE-2021-22175.
“When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled” reads the advisory.
In March 2025, Threat intelligence firm GreyNoise observed Grafana path traversal exploitation attempts before the Server-Side Request Forgery (SSRF) surge on March 9, suggesting that attackers may be leveraging Grafana as an initial entry point for deeper exploitation. One of the vulnerabilities exploited in the attacks observed by the experts is CVE-2020-7796. Most Server-Side Request Forgery exploitation attempts targeted entities in the United States, Germany, Singapore, India, Lithuania, Japan, and Israel.
The experts warned that attackers leverage SSRF for pivoting and reconnaissance and cloud exploitation.
The second flaw added to the KeV catalog is a Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability tracked as CVE-2026-22769. The vulnerability involves hardcoded credentials and was abused to gain access to VMware backup systems.
This week, Mandiant and Google’s Threat Intelligence Group (GTIG) reported that a suspected China-linked APT group quietly exploited a critical zero-day flaw in Dell RecoverPoint for Virtual Machines starting in mid-2024.
“Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769, with a CVSSv3.1 score of 10.0.” reads the report published by Google. “Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT.”
The China-nexus group exploited the bug to move laterally, maintain persistence, and deploy malware such as SLAYSTYLE, BRICKSTORM, and a new C# backdoor, GRIMBOLT. Researchers observed advanced tactics, including stealthy VMware pivoting via “Ghost NICs” and Single Packet Authorization with iptables. Dell has released patches and mitigation guidance.
During investigations into compromised Dell RecoverPoint appliances, Mandiant researchers discovered that attackers replaced BRICKSTORM with a new C# backdoor, GRIMBOLT, in September 2025. GRIMBOLT is compiled using Native AOT and packed with UPX. The malware provides remote shell access and reuses BRICKSTORM’s command-and-control channels.
The attackers ensured persistence by modifying a legitimate startup script so the backdoor runs automatically at boot.
While investigating compromised Dell RecoverPoint systems, Mandiant uncovered CVE-2026-22769 after spotting Tomcat Manager access using hardcoded admin credentials. Attackers uploaded a malicious WAR file containing the SLAYSTYLE web shell, gaining root command execution as early as mid-2024. The group also expanded into VMware environments, creating “Ghost NICs” for stealthy lateral movement and using iptables-based Single Packet Authorization to covertly redirect and control traffic on vCenter appliances.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA urges federal agencies to fix the Dell RecoverPoint flaw by the end of this week, on February 21, while ordering the agencies to address the GitLab issue by March 11, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh