CVE-2026-22769

Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation

Initial Access Lateral Movement Credential Access Last updated:

Detects exploitation of CVE-2026-22769, a hard-coded credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs). Threat actors (including UNC6201) have actively exploited this zero-day to gain unauthorized access to RP4VMs appliances, enabling lateral movement, data exfiltration, and ransomware deployment within virtualized environments. The hard-coded credentials allow unauthenticated remote access to RP4VMs management interfaces.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Dell
Product
RecoverPoint for Virtual Machines (RP4VMs)

Weakness (CWE)

CWE-798

Timeline

Disclosed
February 18, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation?

Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation (CVE-2026-22769) maps to the Initial Access and Lateral Movement and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation, covering the data sources and telemetry it touches: SigninLogs, CommonSecurityLog, Syslog, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Lateral Movement Credential Access
Microsoft Sentinel / Defender
kusto 
let rp4vm_ips = dynamic([]);
let hardcoded_users = dynamic(["admin", "support", "boxmgmt", "root", "service", "recover"]);
union
(
    SigninLogs
    | where TimeGenerated >= ago(7d)
    | where AppDisplayName has_any ("RecoverPoint", "RP4VM", "Dell RecoverPoint")
    | where ResultType == 0
    | where UserPrincipalName has_any (hardcoded_users)
    | project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, Location, DeviceDetail, AuthenticationDetails
    | extend AlertReason = "Successful login using known RP4VMs default/hardcoded username"
),
(
    CommonSecurityLog
    | where TimeGenerated >= ago(7d)
    | where DeviceVendor =~ "Dell" or DeviceProduct has_any ("RecoverPoint", "RP4VM")
    | where Activity has_any ("login", "authentication", "ssh", "console")
    | where SourceUserName has_any (hardcoded_users)
    | project TimeGenerated, SourceIP, SourceUserName, DeviceProduct, Activity, Message
    | extend AlertReason = "RP4VMs appliance authentication event with suspected hard-coded credential username"
),
(
    Syslog
    | where TimeGenerated >= ago(7d)
    | where Computer has_any ("recoverpoint", "rp4vm", "rpa")
    | where SyslogMessage has_any ("Accepted password", "Accepted publickey", "session opened") and SyslogMessage has_any (hardcoded_users)
    | project TimeGenerated, Computer, HostIP, SyslogMessage, ProcessName
    | extend AlertReason = "SSH session opened on RP4VMs appliance using suspected hard-coded credential"
),
(
    AzureActivity
    | where TimeGenerated >= ago(7d)
    | where OperationNameValue has_any ("Microsoft.RecoveryServices", "backup", "replication")
    | where ActivityStatusValue == "Success"
    | where Caller has_any (hardcoded_users)
    | project TimeGenerated, Caller, CallerIpAddress, OperationNameValue, ResourceGroup
    | extend AlertReason = "Azure recovery services operation by suspected hard-coded credential account"
)
| order by TimeGenerated desc

Detects authentication events against Dell RP4VMs appliances using known default or hard-coded usernames across SigninLogs, CommonSecurityLog, Syslog, and AzureActivity. Surfaces successful logins, SSH sessions, and management operations consistent with CVE-2026-22769 exploitation.

critical severity medium confidence

Data Sources

SigninLogs CommonSecurityLog Syslog AzureActivity

Required Tables

SigninLogs CommonSecurityLog Syslog AzureActivity

False Positives

  • Legitimate administrators using default usernames that have not been renamed post-deployment
  • Automated backup or replication jobs configured with service accounts sharing names with known defaults
  • Vendor support sessions initiated by Dell engineers using documented service credentials
  • Integration scripts or orchestration platforms authenticating with default credentials prior to hardening

Sigma rule & cross-platform mapping

The detection logic for Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation (CVE-2026-22769) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-22769 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-22769

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1RP4VMs Default Credential SSH Authentication Simulation

    Expected signal: SSH authentication event in /var/log/auth.log on the target RP4VMs appliance showing 'Accepted password for admin from <attacker_ip>'. SIEM should receive this via syslog forwarding from the appliance.

  2. Test 2RP4VMs Post-Exploitation Command Execution via Hard-coded Credentials

    Expected signal: SSH session opened for user 'support' followed by process execution events (cat, ps, netstat/ss, find) visible in Auditd or Falco telemetry if deployed on the RP4VMs Linux host.

  3. Test 3RP4VMs Credential Discovery — Searching for Additional Credentials Post-Compromise

    Expected signal: Auditd EXECVE syscall events for grep, cat, and env commands executed under the 'boxmgmt' user context on the RP4VMs host. File access events for /etc directory traversal.

  4. Test 4RP4VMs Persistence — Unauthorized SSH Key Installation

    Expected signal: File write event to ~/.ssh/authorized_keys under the 'admin' user account on the RP4VMs host. Auditd or Falco should capture the open/write syscalls against the authorized_keys file path.

Unlock Pro Content

Get the full detection package for CVE-2026-22769 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0008Lateral MovementTA0006Credential Access

Related Techniques

T1078.001Default AccountsT1021.004SSHT1552.001Credentials In FilesT1490Inhibit System Recovery

Same Tactic: Initial Access

Popular Detections