Why Persistent Exploits Underscore the Need for Modern Resilience, Not Just Prevention

A newly disclosed campaign shows how quietly a determined adversary can operate when they find the right foothold in the right place. In this case, researchers reported that a suspected China nexus threat cluster exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (RP4VM) for roughly 18 months before it was patched.

What makes this incident especially sobering is not just that it was a zero day. It is that the attackers were able to maintain persistent access and expand their reach while many organizations had no obvious reason to suspect anything was wrong.

This is the reality of modern security: prevention is necessary, but it is not sufficient. Zero days will always exist. Motivated threat actors will eventually get in. The difference between a disruptive incident and a controlled recovery often comes down to two outcomes:

1. How quickly you detect the intrusion
2. How reliably you can restore trusted systems and data

What happened: a maximum severity flaw in a critical recovery layer

Dell disclosed and patched CVE-2026-22769, a critical (CVSS 10.0) vulnerability in RecoverPoint for Virtual Machines. The issue involves a hardcoded credential that, when known, could allow an unauthenticated remote attacker to gain access to the underlying operating system and establish root level persistence.

CSO reports the vulnerability stemmed from hardcoded admin credentials for Apache Tomcat Manager, which could be leveraged to deploy malicious WAR files and execute commands as root.

Google Threat Intelligence Group and Mandiant tied exploitation to a suspected PRC nexus threat cluster tracked as UNC6201, reporting exploitation since at least mid 2024 and identifying malware used in the campaign, including SLAYSTYLE (web shell), BRICKSTORM, and a newer backdoor tracked as GRIMBOLT.

Dell also stated it received a report of limited active exploitation and urged customers to apply remediations as soon as possible, including upgrading to 6.0.3.1 HF1 or using Dell’s remediation script where appropriate.

The vulnerability was serious enough that it was added to the vulnerability tracking ecosystem as an actively exploited issue, with federal guidance emphasizing rapid remediation.

Why this matters: dwell time is the enemy of recovery

Most organizations think about breach risk in terms of the moment of impact: the phishing click, the ransomware detonation, the outage.

But many of the most damaging intrusions are the opposite. They are quiet, persistent, and patient.

In this campaign, researchers describe activity consistent with long term persistence and lateral movement opportunities. For example, Mandiant observed novel pivoting techniques in VMware environments, including “Ghost NICs” (temporary network ports) used for stealthy network pivoting, plus other tactics intended to avoid traditional detection.

When attackers can lurk for months:

• Credentials get harvested over time
• Backups and recovery paths can be mapped
• The attacker can choose the worst possible moment to act
• “Good” restore points become harder to trust

This is why detection and recoverability must be designed together. If you only invest in preventing the initial compromise, you are betting that you will never face a zero day, a misconfiguration, or a supply chain surprise. That bet fails too often.

The bigger lesson: zero days are inevitable, resilience is optional (until it is not)

Zero days are not a new phenomenon, but the operational reality has changed:

• Security teams cannot patch what is not yet disclosed
• Attackers increasingly target infrastructure that is not treated like an endpoint, including appliances and recovery tooling
• Backup environments often have different monitoring coverage than production

Dell’s advisory explicitly notes RecoverPoint for Virtual Machines is intended to be deployed inside a trusted, access controlled internal network with segmentation and firewalls, not exposed to untrusted or public networks. That guidance is important, but it also points to the broader theme: many environments still treat parts of the stack as “special” and therefore outside standard security visibility.

Modern resilience assumes three truths:

1. Intrusion is possible, even likely, over a long enough timeline
2. Detection speed determines blast radius
3. Recoverability determines business impact

What organizations should do now: a practical resilience checklist

If your environment uses Dell RecoverPoint for Virtual Machines, start with vendor guidance.

1) Patch or remediate immediately

Dell recommends upgrading to 6.0.3.1 HF1 or applying the published remediation steps.

2) Confirm exposure and segmentation

Validate that management interfaces and related services are not exposed to the public internet and are restricted to trusted networks, consistent with Dell’s deployment guidance.

3) Hunt for signs of exploitation in high value logs and paths

Mandiant shared concrete forensic artifacts to review, including requests to Tomcat “/manager” endpoints and evidence of WAR deployment activity.

4) Expand detection coverage to backup and recovery systems

Treat recovery infrastructure as production critical, because attackers do. That means:

• Centralized logging
• Behavioral detections for admin actions and unusual deployments
• Alerts on suspicious outbound connections from appliances
• Regular review of privileged access to recovery tooling

5) Validate recoverability, not just backups

Backups are not the finish line. Confidence comes from:

• Immutable backup copies where appropriate
• Restore testing on a defined cadence
• Clear RTO and RPO targets aligned to business needs
• A documented “known good restore” process after suspected compromise

The most resilient organizations practice restoring under pressure before they are under pressure.

Where CyberFortress fits: closing the loop between security and recovery

At CyberFortress, we believe defense in depth should produce a simple business outcome: when something goes wrong, you can detect it quickly and recover with confidence.

That means pairing prevention with the layers that limit dwell time and reduce operational disruption:

• Continuous monitoring and rapid response to surface suspicious activity earlier
• Visibility into the systems that matter most, including the recovery layer
• Reliable recoverability so you can restore trusted systems and data fast, and avoid negotiating with criminals or guessing which backups are clean
• Operational readiness through playbooks and recovery validation, so response is controlled, not chaotic

If you are worried about undetected threats, ransomware access, or whether your recovery plan would hold up against a persistent adversary, we should talk. CyberFortress can help you build a security and recovery strategy that closes the loop.