Vulnerability in Dell RecoverPoint for Virtual Machines could allow arbitrary code execution

A vulnerability has been discovered in Dell RecoverPoint for Virtual Machines that could allow arbitrary code execution. Dell RecoverPoint for Virtual Machines is an enterprise solution for VMware virtual machines (VMs) enabling local, remote, and simultaneous local and remote replication with continuous cyber resiliency for on-premises recovery at any time (PiT).

Successful exploitation of the vulnerability could allow execution of arbitrary code in the context of the logged in user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.

Dell has received a report from Google/Mandiant of limited active exploitation of this vulnerability.

A vulnerability has been discovered in Dell RecoverPoint for Virtual Machines that could allow arbitrary code execution. The details of the vulnerability are as follows:

Tactical: Execution (TA0002)

Technical: Operation for customer execution (T1203):

* Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contains a hardcoded credentials vulnerability. This is considered critical because an unauthenticated, remote attacker with knowledge of hardcoded credentials could potentially exploit this vulnerability, leading to unauthorized access to the underlying operating system and root-level persistence. (CVE-2026-22769)

Successful exploitation of the vulnerability could allow execution of arbitrary code in the context of the logged in user. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.

We recommend that the following actions be taken:

• Apply appropriate Dell-provided updates to vulnerable systems immediately after appropriate testing. (M1051: Update software)
• Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
• Safeguard 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
• Backup 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
• Backup 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly or more frequent basis.
• Backup 7.7: Fix detected vulnerabilities: Remediate detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
• Backup 16.13 Perform application penetration testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester’s ability to manually manipulate an application as an authenticated and unauthenticated user.
• Backup 12.1: Ensure network infrastructure is up to date: Make sure the network infrastructure is kept up to date. Example implementations include running the latest stable version of the software and/or using currently supported Network as a Service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
• Backup 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program appropriate to the size, complexity and maturity of the company. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable hours and excluded types of attacks; contact details; corrective actions, such as how results will be communicated internally; and retrospective requirements.
• Backup 18.2: Perform periodic external penetration tests: Perform periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialist skills and experience and should be carried out by a qualified party. The test can be carried out in a transparent box or an opaque box.
• Backup 18.3: Remediation of penetration test results: Remediate penetration test results based on company policy for scope and priority of remediation.
• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Privileged account management)
• Backup 4.7: Manage default accounts on company assets and software: Manage default accounts on company assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
• Backup 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as browsing the Internet, email, and using the Productivity Suite, from the user’s primary, non-privileged account.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities for remediation. (M1016: Vulnerability analysis)
• Backup 16.13: Perform application penetration testing: Perform application intrusion tests. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester’s ability to manually manipulate an application as an authenticated and unauthenticated user.
• Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit protection)
• Backup 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on company assets and software where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Architect sections of the network to isolate critical systems, functions or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain all Internet-accessible services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network segmentation)
• Backup 12.2: Establish and maintain a secure network architecture: Establish and maintain a secure network architecture. A secure network architecture must at a minimum take into account segmentation, least privilege and availability.
• Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
• Backup 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on company assets and software where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.