Detect Dell RecoverPoint for Virtual Machines (RP4VMs) Hard-coded Credentials Exploitation in IBM QRadar
Detects exploitation of CVE-2026-22769, a hard-coded credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs). Threat actors (including UNC6201) have actively exploited this zero-day to gain unauthorized access to RP4VMs appliances, enabling lateral movement, data exfiltration, and ransomware deployment within virtualized environments. The hard-coded credentials allow unauthenticated remote access to RP4VMs management interfaces.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
USERNAME,
QIDNAME(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source,
UTF8(payload) AS raw_payload
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Dell RecoverPoint', 'Linux OS', 'Universal DSM')
AND (
USERNAME IN ('admin', 'support', 'boxmgmt', 'root', 'service', 'recover')
OR UTF8(payload) ILIKE '%Accepted password%'
OR UTF8(payload) ILIKE '%Accepted publickey%'
OR UTF8(payload) ILIKE '%session opened%'
)
AND (
LOGSOURCENAME(logsourceid) ILIKE '%recoverpoint%'
OR LOGSOURCENAME(logsourceid) ILIKE '%rp4vm%'
OR destinationip IN (SELECT value FROM reference_table('RP4VMs_Asset_IPs'))
)
AND eventdirection = 'R2L'
AND CATEGORYNAME(category) IN ('Authentication Success', 'User Login', 'Remote Access')
ORDER BY starttime DESC
LAST 7 DAYSQRadar AQL query detecting successful authentication events on Dell RP4VMs log sources using hard-coded or default usernames. Filters by log source name pattern and a reference table of known RP4VMs asset IPs, focusing on inbound remote access authentication successes.
Data Sources
Required Tables
False Positives & Tuning
- Authorized vendor support sessions using default service credentials during active support engagements
- Backup orchestration systems authenticating with legacy default credentials pending credential rotation
- Internal monitoring scripts using default usernames prior to hardening completion
- Misconfigured DSM parsing generating false username attribution for system processes
Other platforms for CVE-2026-22769
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1RP4VMs Default Credential SSH Authentication Simulation
Expected signal: SSH authentication event in /var/log/auth.log on the target RP4VMs appliance showing 'Accepted password for admin from <attacker_ip>'. SIEM should receive this via syslog forwarding from the appliance.
- Test 2RP4VMs Post-Exploitation Command Execution via Hard-coded Credentials
Expected signal: SSH session opened for user 'support' followed by process execution events (cat, ps, netstat/ss, find) visible in Auditd or Falco telemetry if deployed on the RP4VMs Linux host.
- Test 3RP4VMs Credential Discovery — Searching for Additional Credentials Post-Compromise
Expected signal: Auditd EXECVE syscall events for grep, cat, and env commands executed under the 'boxmgmt' user context on the RP4VMs host. File access events for /etc directory traversal.
- Test 4RP4VMs Persistence — Unauthorized SSH Key Installation
Expected signal: File write event to ~/.ssh/authorized_keys under the 'admin' user account on the RP4VMs host. Auditd or Falco should capture the open/write syscalls against the authorized_keys file path.
References (4)
- https://www.dell.com/support/kbdoc/en-us/000426773/dsa-2026-079
- https://www.dell.com/support/kbdoc/en-us/000426742/recoverpoint-for-vms-apply-the-remediation-script-for-dsa
- https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
- https://nvd.nist.gov/vuln/detail/CVE-2026-22769
Unlock Pro Content
Get the full detection package for CVE-2026-22769 including response playbook, investigation guide, and atomic red team tests.