SOC Prime has recently covered a wave of actively exploited zero-days across major ecosystems, including Apple’s CVE-2026-20700 and Microsoft’s CVE-2026-20805, alongside a fresh Chrome zero-day case. But the avalanche of threats keeps marching into 2026. Recently, researchers from Mandiant and Google Threat Intelligence Group (GTIG) detailed the active exploitation of CVE-2026-22769, a maximum-severity hardcoded-credential vulnerability in Dell products.

The spotlight is on Dell RecoverPoint for Virtual Machines, a VMware-focused backup and disaster recovery solution that has become the target of an in-the-wild zero-day campaign attributed to suspected China-nexus activity. Tracked with a CVSS score of 10.0, CVE-2026-22769 has reportedly been exploited by the China-linked cluster UNC6201 since at least mid-2024, enabling attackers to establish access and deploy multiple malware families, including BRICKSTORM and GRIMBOLT.

SOC Prime Platform helps security teams close the gap between “a CVE was disclosed” and “we have detection intel.” Sign up now to access the world’s largest detection intelligence dataset, backed by advanced solutions to take your SOC to the next level. Click Explore Detections to reach vulnerability-focused detection content pre-filtered by the “CVE” tag. 

Explore Detections

All rules are compatible with dozens of SIEM, EDR, and Data Lake formats and mapped to MITRE ATT&CK®. Additionally, each rule is enriched with extensive metadata, including CTI references, Attack Flow visualization, triage recommendations, audit configurations, and more.

Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2026-22769 Analysis

In its advisory from February 17, 2026, Dell describes CVE-2026-22769 as a hardcoded credential vulnerability in RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1, and assigns it a highest severity rating. Dell warns that an unauthenticated remote attacker who knows the hardcoded credential could gain unauthorized access to the underlying operating system and even establish root-level persistence. 

GTIG and Mandiant’s investigation adds the operational detail behind that impact. Security experts observed activity against the appliance’s Apache Tomcat Manager, including web requests using the admin username that resulted in the deployment of a malicious WAR file containing the SLAYSTYLE web shell. The researchers then traced this back to hard-coded default credentials for the admin user in Tomcat Manager configuration at /home/kos/tomcat9/tomcat-users.xml. Using those credentials, an attacker could authenticate to Tomcat Manager and deploy a WAR via the /manager/text/deploy endpoint, leading to command execution as root on the appliance. 

UNC6201 is assessed to have used this foothold for lateral movement, persistence, and malware deployment, with the earliest identified exploitation dating back to mid-2024. The initial access vector was not confirmed in these cases, but GTIG notes UNC6201 is known for targeting edge appliances as an entry point.

The post-compromise tooling also evolved over time. Mandiant reports finding BRICKSTORM binaries and then observing a replacement with GRIMBOLT in September 2025. GRIMBOLT is described as a C# backdoor compiled using native ahead-of-time (AOT) compilation and packed with UPX, providing remote shell capability while using the same C2 as BRICKSTORM. The researchers note it is unclear whether the swap was a planned upgrade or a response to incident response pressure.

The activity did not stop at the RecoverPoint appliance. Mandiant reports that UNC6201 pushed deeper into victims’ virtualized environments by creating temporary virtual network ports on VMware ESXi servers, effectively spinning up hidden network connectivity commonly referred to as “Ghost NICs.” This technique allowed the attackers to move quietly from compromised VMs into broader internal networks and, in some cases, toward SaaS environments.

Researchers also report overlaps between UNC6201 and another China-nexus cluster tracked as UNC5221, known for exploiting Ivanti zero-days and previously linked in reporting to Silk Typhoon, though GTIG notes these clusters are not considered identical.

CVE-2026-22769 Mitigation

Dell’s remediation guidance is clear, but it requires follow-through. For the 6.x line, Dell points customers to upgrade to 6.0.3.1 HF1 or apply the vendor remediation script referenced in the advisory, and it also provides migration/upgrade paths for affected 5.3 service pack builds.

To strengthen coverage beyond patching, rely on the SOC Prime Platform to reach the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and stay ahead of emerging threats.

The post CVE-2026-22769: Critical Dell RecoverPoint Zero-Day Exploited in the Wild appeared first on SOC Prime.

A new maximum-severity flaw (with a CVSS score of 10.0) in React Server Components (RSC), dubbed React2shell, causes a stir in the cyber threat landscape, hot on the heels of the recent exploitation of two high-severity Android Framework vulnerabilities (CVE-2025-48633 and CVE-2025-48572). Defenders have observed that multiple Chinese nation-backed groups exploit the React2Shell vulnerability, which enables RCE, putting vulnerable deployments at significant risk. 

For years, China has conducted offensive cyber operations targeting U.S. and international organizations across various sectors, often leveraging nation-state-linked APT groups such as Mustang Panda or APT41 to collect intelligence and sensitive data. 

For a half-decade, China’s nation-backed cyber operations have increasingly emphasized stealth and operational security, creating a more complex and challenging threat landscape for organizations across industries, including the public sector, as well as for the global cybersecurity community. China-linked APT groups remain the fastest and most active state-sponsored actors, often weaponizing new exploits almost immediately after disclosure. The CrowdStrike 2025 Global Threat Report indicates that China-linked threat actors increased state-sponsored cyber operations by 150%.

Register for the SOC Prime Platform, the AI-Native Detection Intelligence Platform for SOC teams to help your organization preempt emerging threats of any sophistication, advanced APT attacks, and evolving vulnerability exploitation campaigns. Click Explore Detections to access a comprehensive collection of SOC content for vulnerability exploitation, smartly filtered by a custom “CVE” tag.

Explore Detections

All detections can be applied across diverse SIEM, EDR, and Data Lake systems and are mapped to the MITRE ATT&CK® framework. They are also enriched with AI-native detection intelligence and actionable metadata, including CTI references, attack timelines, audit configuration, triage recommendations for a streamlined threat research and CTI analysis, helping teams boost operational efficiency.

Security teams can also rely on Uncoder AI to accelerate detection engineering workflows end-to-end and take advantage of automated IOC conversion into custom hunting queries, automated detection logic generation directly from threat reports, Attack Flow visualization, ATT&CK tags prediction, and AI-assisted content across multiple language formats—all within a single solution. 

React2Shell Vulnerability Analysis

Defenders recently uncovered a novel maximum-severity vulnerability in React Server Components tracked as CVE-2025-55182, aka React2Shell, which affects React 19.x and Next.js 15.x/16.x with App Router. This pre-authentication RCE flaw was responsibly reported to Meta by Lachlan Davidson, with React and Vercel jointly issuing patches on December 3, 2025. Public PoC exploits surfaced roughly 30 hours after disclosure, followed shortly by the researcher’s own PoCs. 

React2Shell arises from unsafe deserialization of payloads sent via HTTP requests to Server Function endpoints. This logical deserialization flaw in processing RSC payloads allows an unauthenticated attacker to send a crafted HTTP request to any Server Function endpoint, which React then deserializes, enabling execution of arbitrary JavaScript code on the server.

Amazon threat intel teams report that China-linked state-sponsored collectives, both established and previously unknown clusters, including Earth Lamia and Jackpot Panda, are already attempting to weaponize the flaw, which enables unauthenticated RCE through unsafe handling of RSC payloads. 

Adversaries are leveraging both automated scanners and manually executed PoCs, with some tools using evasion tactics like randomized user agents. Their activity extends well beyond CVE‑2025‑55182, with Amazon’s monitoring showing the same Chinese clusters exploiting other recent vulnerabilities, such as CVE‑2025‑1338. This underscores a systematic model, in which adversaries track new disclosures, immediately fold public exploits into their tooling, and launch broad campaigns across multiple CVEs at once to maximize target reach.

Notably, many adversaries rely on publicly posted PoCs that do not function in real deployments. The GitHub community has flagged numerous examples that misinterpret the vulnerability, including demos that improperly register dangerous modules or remain exploitable even after patching. Yet attackers continue to use them, highlighting clear behavioral trends, like rapid adoption over validation, high‑volume scanning, low barriers to entry due to public exploit availability, and log noise that can obscure more targeted attacks.

AWS MadPot telemetry confirms that adversaries are persistently iterating on their exploitation attempts. The unattributed cluster (IP 183[.]6.80.214) spent nearly an hour on December 4 repeatedly testing payloads, issuing 100+ requests over 52 minutes, running Linux commands, attempting file writes to /tmp/pwned.txt, and trying to read /etc/passwd. This demonstrates that attackers are not simply firing off automated scans but are actively debugging and refining techniques against live systems.

Notably, the threat also impacts Next.js applications using App Router. Originally assigned CVE‑2025‑66478 with a CVSS score of 10.0, it has since been marked by the NIST NVD as a duplicate of the React2Shell vulnerability.

Wiz reported that 39% of cloud environments have systems susceptible to CVE‑2025‑55182 and CVE‑2025‑66478. Although AWS services are not impacted, given the critical nature of both vulnerabilities, users are strongly urged to apply patches immediately to ensure maximum protection.

Organizations running React or Next.js on EC2, in containers, or in other self-managed environments should apply updates without delay. To minimize risks from React2Shell exploitation, immediately update affected React and Next.js applications following the AWS Security Bulletin for patched versions. As an interim measure, defenders are recommended to deploy the custom AWS WAF rule provided in the bulletin to block exploit attempts. 

Meanwhile, Cloudflare announced that it has implemented a new protection in its cloud-based WAF as a potential React2Shell mitigation step. According to the company, all customers, both free and paid, are safeguarded, provided their React application traffic is routed through Cloudflare’s proxy.

As the number of vulnerabilities actively exploited continues to rise, forward-looking organizations are prioritizing proactive cyber defenses to ensure strong and resilient security postures. SOC Prime’s AI-Native Detection Intelligence Platform helps organizations elevate their cyber defenses at scale by empowering AI technologies and top cybersecurity expertise while maximizing resource effectiveness.

The post React2Shell Vulnerability: Maximum-Severity Flaw in React Server Components Actively Exploited by China-Backed Groups  appeared first on SOC Prime.