Fed agencies ordered to patch Dell bug by Saturday after exploitation warning

Editor's note: This article was updated with comment from the Cybersecurity and Infrastructure Security Agency at 8:00 a.m. EST. on Feb. 19.

A Chinese state-backed hacking group is targeting Dell customers with a zero-day vulnerability impacting a popular line of operational and disaster recovery tools.

Dell and Google released notices on Tuesday about CVE-2026-22769, warning that a sophisticated Chinese actor has been targeting the bug since at least mid-2024. Dell’s advisory said the vulnerability carries a severity score of 10 out of 10 and provided fixes for the issue. 

The advisory notes Google’s findings of “limited active exploitation.” Google-owned security firm Mandiant published its own lengthy blog about the vulnerability and the attacks that resulted from it. Mandiant said the activity was targeted at organizations across North America.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed CVE-2026-22769 is being exploited on Wednesday and ordered all federal agencies to patch it by Saturday. 

Nick Andersen, executive assistant director for cybersecurity at CISA, said the agency is “actively combating the multi-year Brickstorm threat campaign.”

Anderson explained the issue relates to hard-coded credentials that had been leaked and exploited by threat actors. 

“Hard-coded credentials remain a critical risk, and CISA urges all organizations to take decisive steps now to mitigate exposure and prevent compromise,” he said. 

Dell RecoverPoint for Virtual Machines are typically part of an organization’s resilience layer, replicating virtual machines and enabling disaster recovery while allowing businesses to quickly restore systems if they are disrupted by failure or attack, according to Keeper Security’s Shane Barney. 

Because it integrates directly with hypervisors, storage infrastructure and backup systems, it typically operates with elevated privileges, he said, making it a high-value target.

“Targeting backup and disaster recovery platforms reflects a deliberate and knowledgeable approach. If an attacker compromises the systems responsible for restoration, they can weaken an organization’s ability to recover from disruption,” Barney said. “In the context of espionage, access to this layer can also provide deep visibility into infrastructure architecture and replicated data sets.”

In its blog, Mandiant and Google Threat Intelligence Group tied the exploitation of the bug to UNC6201 — a group they said has links to Silk Typhoon. Silk Typhoon was accused by U.S. authorities of hacking the Treasury Department in 2024 and abusing vulnerabilities in widely used tools from IT firm Ivanti. 

Charles Carmakal, CTO of Mandiant, said during exploitation of the vulnerability, the hackers were deploying a newer version of a backdoor called BRICKSTORM. 

“Any organization using Dell RecoverPoint for Virtual Machines should immediately apply the recommendations provided by Dell,” Carmakal said.

“Nation-state threat actors continue targeting systems that don’t commonly support endpoint detection and response solutions, which make it very hard for victim organizations to know they are compromised and significantly prolong intrusion dwell times.”

Carmakal said they observed the hackers using a novel backdoor they named GRIMBOLT. Mandiant said GRIMBOLT appeared to be a replacement for the BRICKSTORM malware, using much of the same architecture but serving as a better way for the hackers to remove any of the fingerprints from attacks. 

“It's unclear if the threat actor's replacement of BRICKSTORM with GRIMBOLT was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partners,” the researchers explained. 

CISA, the National Security Agency (NSA) and Canadian Centre for Cyber Security published an advisory about BRICKSTORM in December, raising alarms that Chinese hackers were using it to attack governments in several countries and maintain long-term access.

CISA last week updated the advisory, noting that it was seeing newer versions of BRICKSTORM that made it “more versatile and harder to detect.”

Cybersecurity firms like Mandiant have repeatedly reported seeing BRICKSTORM used in attacks on legal firms, software-as-a-service providers and technology companies since March 2025, with the initial goal being to steal valuable intellectual property and sensitive data or raid the email inboxes of senior company leaders.

Crowdstrike said it also saw “multiple intrusions targeting VMware vCenter environments at U.S.-based entities” throughout 2025 involving BRICKSTORM. In one incident tracked by Crowdstrike, the Chinese hackers had access dating back to 2023.

Mayuresh Dani, security research manager at Qualys, said Chinese threat actors are adept and comfortable working inside the pipelines of modern VMware-based disaster recovery environments like the ones described in Mandiant’s advisory. 

“This vulnerability shows us that the threat actor understands modern VMware DR architectures and knows how to live in them quietly,” Dani explained. 

“A compromised appliance can influence which copies of data get replicated, where they go, and what gets restored in a disaster, making it a high leverage target.”