Chinese hackers exploiting Dell zero-day flaw since mid-2024

A zero-day vulnerability is a security flaw in software that is unknown to the vendor and has no official patch available. It is dangerous because attackers can exploit it before developers have time to create and release a fix, leaving systems completely unprotected. In this case, the UNC6201 hacking group exploited a hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines, which allowed unauthenticated remote attackers to gain unauthorized access and root-level persistence on affected systems. The vulnerability remained unpatched from mid-2024 until Dell released a security advisory on February 17, 2026, giving attackers approximately 20 months of undetected access to vulnerable systems.

Chinese state-backed hacking groups like UNC6201 deliberately target backup and recovery appliances because these devices typically lack traditional endpoint detection and response (EDR) agents—security software that monitors and prevents malicious activity. By compromising these less-monitored systems, attackers can maintain undetected access for extended periods. This strategy allows them to establish persistent footholds in enterprise networks without triggering security alerts. The UNC6201 group has demonstrated this pattern consistently, as researchers noted overlaps between their tactics and previous campaigns targeting similar infrastructure gaps.