Cyber Resilience

CVE-2026-22769

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 17 February 2026

Published
17 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1313 95.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-22769 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dell Recoverpoint For Virtual Machines. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22769 is a hardcoded credential vulnerability (CWE-798) in Dell RecoverPoint for Virtual Machines, affecting versions prior to 6.0.3.1 HF1. Published on 2026-02-17, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), classifying it as critical due to the potential for severe impact.

An unauthenticated remote attacker with knowledge of the hardcoded credential can exploit this flaw over the network with low complexity, gaining unauthorized access to the underlying operating system and establishing root-level persistence.

Dell recommends that customers upgrade to version 6.0.3.1 HF1 or apply one of the specified remediations immediately, as detailed in their advisory DSA-2026-079 at https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079.

The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22769) and has been exploited in the wild by threat actor UNC6201 as a zero-day, per a Google Cloud threat intelligence report (https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to…

more

the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.

CWE(s)
KEV Date Added
See CISA KEV catalog

Related Threats

Threat-Actor AttributionAI

UNC6201
Google Cloud threat-intel blog directly attributes exploitation of this Dell RecoverPoint zero-day (CVE-2026-22769) to UNC6201.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hardcoded credential enables abuse of default/known valid accounts (T1078.001) for initial access; vulnerability in network-exposed software service facilitates exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21105Same product: Dell Recoverpoint For Virtual Machines
CVE-2026-22273Same vendor: Dell
CVE-2026-40636Same vendor: Dell
CVE-2025-14611Shared CWE-798both on KEV
CVE-2026-25202Shared CWE-798
CVE-2025-26336Same vendor: Dell
CVE-2024-8893Shared CWE-798
CVE-2025-43728Same vendor: Dell
CVE-2026-1221Shared CWE-798
CVE-2023-53983Shared CWE-798

Affected Assets

dell
recoverpoint for virtual machines
6.0 · ≤ 6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, reporting, and correcting critical flaws like hardcoded credentials through timely patching to remediated versions such as 6.0.3.1 HF1.

prevent

Mandates proper management of authenticators, prohibiting hardcoded credentials by requiring changes from defaults, protection, and lifecycle controls.

detect

Enables proactive detection of known vulnerabilities like CVE-2026-22769 through regular vulnerability scanning, supporting timely flaw remediation.

References