CISA’s 3-Day Patch Order on Dell RecoverPoint Signals Broader Enterprise Risk
Enterprise backup and disaster recovery systems are increasingly viewed as high-value targets by threat actors, particularly when critical vulnerabilities affect core infrastructure platforms.
The Cybersecurity and Infrastructure Security Agency (CISA) has given federal civilian agencies three days to fix a critical security flaw in Dell Technologies’ RecoverPoint for Virtual Machines after adding the issue to its Known Exploited Vulnerabilities catalog on Feb. 18.
The vulnerability, tracked as CVE-2026-22769, carries the highest possible severity rating and stems from hardcoded credentials embedded in the software. Security researchers say the flaw has been used by the China-linked hacking group UNC6201 since at least mid-2024, potentially allowing attackers to maintain extended access to affected systems.
Under CISA’s directive, agencies must apply available patches or take corrective action within three days of the catalog listing.
RecoverPoint is commonly used in enterprise VMware environments to manage backup and disaster recovery operations, meaning the risk is not limited to federal networks. Private sector organizations that rely on the platform may also be exposed if they have not updated vulnerable systems.
Backup infrastructure as a target
Ensar Seker, CISO at threat intelligence firm SOCRadar, said the short deadline underscores both the seriousness of the flaw and the strategic value of backup infrastructure to attackers.
“When CISA orders agencies to patch within three days, that signals confirmed active exploitation and real operational risk. This is not theoretical exposure. A hardcoded credential vulnerability like CVE-2026-22769 effectively removes authentication as a barrier,” he said. “If exploited, it can lead to root-level persistence, which is extremely difficult to detect and eradicate.”
Seker noted that exploitation dating back to mid-2024 raises concerns that some organizations may have experienced months of unauthorized access. Even after installing patches, he said, organizations should assume possible compromise and review credentials, system integrity and potential backdoors.
Although CISA’s order applies to federal agencies, security experts often view additions to the agency’s catalog as a strong warning that organizations across sectors should address the issue without delay.
“The real takeaway for enterprises is this: if federal agencies get three days, the private sector should not assume they have three weeks,” Seker said. “When a vulnerability combines maximum severity, hardcoded credentials and active exploitation, patching becomes a board-level risk discussion, not just an IT task.”
About the Author
Rodney Bosch
Editor-in-Chief/SecurityInfoWatch.com
Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].