CVE-2026-22769

CriticalCISA KEVActive Exploitation

Published: 17 February 2026

Published

17 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.2200 95.9th percentile

Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22769 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dell Recoverpoint For Virtual Machines. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identifying, reporting, and correcting critical flaws like hardcoded credentials through timely patching to remediated versions such as 6.0.3.1 HF1.

IA-5 Authenticator Management good match

prevent

Mandates proper management of authenticators, prohibiting hardcoded credentials by requiring changes from defaults, protection, and lifecycle controls.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables proactive detection of known vulnerabilities like CVE-2026-22769 through regular vulnerability scanning, supporting timely flaw remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Hardcoded credential enables abuse of default/known valid accounts (T1078.001) for initial access; vulnerability in network-exposed software service facilitates exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to…

the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.

Deeper analysisAI

CVE-2026-22769 is a hardcoded credential vulnerability (CWE-798) in Dell RecoverPoint for Virtual Machines, affecting versions prior to 6.0.3.1 HF1. Published on 2026-02-17, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), classifying it as critical due to the potential for severe impact.

An unauthenticated remote attacker with knowledge of the hardcoded credential can exploit this flaw over the network with low complexity, gaining unauthorized access to the underlying operating system and establishing root-level persistence.

Dell recommends that customers upgrade to version 6.0.3.1 HF1 or apply one of the specified remediations immediately, as detailed in their advisory DSA-2026-079 at https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079.

The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22769) and has been exploited in the wild by threat actor UNC6201 as a zero-day, per a Google Cloud threat intelligence report (https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day).

Details

CWE(s): CWE-798
KEV Date Added: See CISA KEV catalog

Affected Products

dell

recoverpoint for virtual machines

6.0 · ≤ 6.0

CVEs Like This One

CVE-2025-21105Same product: Dell Recoverpoint For Virtual Machines

CVE-2026-22273Same vendor: Dell

CVE-2026-40636Same vendor: Dell

CVE-2025-14611Shared CWE-798both on KEV

CVE-2026-27101Same vendor: Dell

CVE-2026-25202Shared CWE-798

CVE-2026-3873Shared CWE-798

CVE-2026-1221Shared CWE-798

CVE-2025-43995Same vendor: Dell

CVE-2024-49601Same vendor: Dell

References

https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
Patch, Vendor Advisory · security_alert@emc.com
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22769
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0