Federal agencies received just three days to secure their systems against a maximum-severity Dell vulnerability that Chinese state-backed hackers exploited undetected for more than 18 months.
The Cybersecurity and Infrastructure Security Agency ordered civilian agencies to patch CVE-2026-22769 by February 21, giving them only a notable figure after adding the flaw to its Known Exploited Vulnerabilities catalog earlier this week. The unusually tight deadline reflects active exploitation that began in mid-2024 targeting Dell RecoverPoint for Virtual Machines.
Chinese threat group UNC6201, linked to the Silk Typhoon espionage campaign, used the hardcoded credential vulnerability to gain root-level persistence across networks since at least June 2024 according to Google's Mandiant incident response team. The attackers deployed multiple malware families including Brickstorm backdoors before upgrading to a more sophisticated implant called Grimbolt in September 2025.
Dell disclosed and patched the vulnerability on February 17 after receiving reports from Google and Mandiant about limited active exploitation. The company's security advisory notes the flaw carries a perfect 10/10 CVSS severity score and affects versions of RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned in its directive.
The agency has tracked fewer than a dozen confirmed victims but acknowledges the true number could be higher given the extended exploitation period.
Attackers used so-called "Ghost NICs" on virtual machines to pivot quietly through compromised environments without triggering alarms. They targeted disaster recovery platforms that typically operate with elevated privileges and provide deep visibility into infrastructure architecture.
"Targeting backup and disaster recovery platforms reflects a deliberate and knowledgeable approach," said Keeper Security's Shane Barney. "If an attacker compromises the systems responsible for restoration, they can weaken an organization's ability to recover from disruption."
Mandiant researchers observed UNC6201 replacing older Brickstorm binaries with Grimbolt backdoors that are more difficult to reverse engineer. The newer malware uses much of the same architecture but serves as a better way for hackers to remove forensic fingerprints from attacks.
CISA, the National Security Agency, and Canadian Centre for Cyber Security published an advisory about Brickstorm in December warning that Chinese hackers were using it to attack governments in several countries. The agency updated that advisory last week noting newer versions had become "more versatile and harder to detect."
The three-day patch window continues CISA's pattern of rapid-fire remediation orders for actively exploited bugs. Just last week, the agency similarly gave federal agencies three days to lock down BeyondTrust Remote Support instances against a separate remote code execution flaw.
Dell recommends customers upgrade affected systems immediately or apply workarounds outlined in its security advisory. The company acknowledged receiving reports of "limited active exploitation" from Google and Mandiant while urging organizations using RecoverPoint for Virtual Machines to implement recommended mitigations.
