Your backup system isn’t your safety net.
It’s a beachhead. 🏖️
Mandiant + GTIG report UNC6201 exploiting a Dell RecoverPoint for VMs zero-day (CVE-2026-22769, CVSS 10.0). The bug? A hardcoded credential that can lead to unauthenticated remote access, OS-level control, and root persistence.
Let that sink in.
Recovery tooling sits in the “break glass” tier of your stack. Elevated access. Broad visibility. Often lightly monitored because… well… it’s “for emergencies.”
Now CISA KEV inclusion is indicated via NVD’s CISA-ADP enrichment. Translation: this isn’t theoretical.
Even more interesting: the initial access vector wasn’t confirmed. RP4VM exploitation is a confirmed path during operations — not necessarily patient zero. That nuance matters for defenders mapping blast radius.
And here’s the strategic problem:
If an adversary owns your recovery plane, they can:
Undermine restore trust
Pivot into VMware management
Complicate (or delay) incident recovery
When was the last time your IR tabletop included “backup appliance compromise”?
Read the full breakdown:
👉 https://blog.alphahunt.io/cisa-flags-dell-recoverpoint-zero-day-backup-systems-as-the-new-beachhead
#AlphaHunt #ThreatIntel #CISA #VMware #ZeroDay