The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems within three days against a maximum-severity Dell vulnerability that has been under active exploitation since mid-2024.

According to security researchers from Mandiant and the Google Threat Intelligence Group (GTIG), this hardcoded-credential vulnerability (CVE-2026-22769) in Dell's RecoverPoint (a solution used for VMware virtual machine backup and recovery) is being exploited by a suspected Chinese hacking group tracked as UNC6201.

After gaining access to a victim's network in CVE-2026-22769 attacks, UNC6201 deploys several malware payloads, including a newly identified backdoor called Grimbolt. This malware is built using a relatively new compilation technique that makes it harder to analyze than its predecessor, the Brickstorm backdoor.

While the group swapped Brickstorm for Grimbolt in September 2025, it's not yet clear whether this switch was part of a planned upgrade or "a reaction to incident response efforts led by Mandiant and other industry partners."

"Analysis of incident response engagements revealed that UNC6201, a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT," they said.

The security researchers have also found overlaps between UNC6201 and the Silk Typhoon Chinese state-backed cyberespionage group (although the two are not considered identical by GTIG), also tracked as UNC5221 and known for exploiting Ivanti zero-days to target government agencies with custom Spawnant and Zipline malware.

Silk Typhoon has previously breached the systems of several U.S. government agencies, including the U.S. Treasury Department, the Office of Foreign Assets Control (OFAC), and the Committee on Foreign Investment in the United States (CFIUS).

Feds ordered to prioritize CVE-2026-22769 patches

CISA has now added the security flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks by the end of Saturday, February 21, as mandated by Binding Operational Directive (BOD) 22-01.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned on Wednesday. 

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Last week, CISA also gave U.S. federal agencies three days to secure their BeyondTrust Remote Support instances against an actively exploited remote code execution vulnerability (CVE-2026-1731).

Hacktron, which reported the vulnerability on January 31, warned in early February that around 11,000 BeyondTrust Remote Support instances were exposed online, and that around 8,500 were on-premises deployments that required manual patching.