Patch Now: Hardcoded Creds in Dell RecoverPoint for VMs, RCE in Grandstream VoIP Phones, Privilege Elevation in MS WAC

On February 17, 2026, Dell and Google published security advisories warning customers that a maximum-severity flaw in Dell RecoverPoint for Virtual Machines (RP4VMs) is under active exploitation by a state-sponsored threat actor. CVE-2026-22769, CVSS score 10.0, allows an unauthenticated remote attacker to access the underlying operating system and gain root-level persistence due to a hardcoded credential in RP4VMs prior to version 6.0.3.1 HF1. The flaw was added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog (CISA KEV) the following day, with a three-day patch deadline of February 21 for government agencies. Mandiant and Google Threat Intelligence Group (GTIG) have observed exploitation of this vulnerability going back as far as 2024 "to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM, and a novel backdoor tracked as GRIMBOLT." The threat actor, suspected to be PRC-backed, is known to target edge appliances such as VPN concentrators for initial access. Mandiant discovered the hardcoded default credentials for the admin user while analyzing Apache Tomcat Manager configuration files during an investigation of compromised Dell RP4VMs actively communicating with a known command-and-control (C2) server. Dell instructs users to remediate by upgrading to RecoverPoint for Virtual Machines 6.0.3.1 HF1, first migrating from 5.3 SP4 P1 to 6.0 SP3 if needed. Dell provides instructions to run their remediation script as an alternative, also noting that "other Dell products, including RecoverPoint Classic (both physical and virtual appliances), are not affected by CVE-2026-22796." Mandiant's advisory offers forensic artifacts, indicators of compromise, and YARA rules for threat hunters and incident responders.

A critical unauthenticated stack-based buffer overflow vulnerability (CVE-2026-2329) affects all six models of Grandstream Networks' GXP1600 series VoIP phones. The vulnerability could be exploited by sending a maliciously crafted request to a vulnerable device to achieve remote code execution with root privileges, allowing attackers to take control of vulnerable devices. The issue was discovered by researchers at Rapid7 who note that "the vulnerability is present in the device's web-based API service, and is accessible in a default configuration." Rapid7 reached out to Grandstream on January 6, 2026, and Grandstream released the patched firmware on February 2, 2026. The vulnerability affects firmware versions 1.0.7.79 and earlier, so users are urged to update to version 1.0.7.81 or newer.

Microsoft has published a security advisory disclosing a high-severity flaw in Windows Admin Center (WAC), a browser-based tool allowing IT administrators to locally manage servers, clusters, and PCs. CVE-2026-26119, CVSS score 8.8, allows an authorized attacker to elevate privileges over a network due to improper authentication in WAC before version 2511. Security researcher Andrea Pierini discovered CVE-2026-26119 in July 2025, and in December Microsoft released WAC 2511, patching the flaw without yet publicly disclosing it. Users who have already updated to version 2511 do not need to take further action, but as of February 10 Microsoft has "updated the high availability deployment script and the associated documentation" for any users who have yet to update.

Deutsche Bahn, Germany's state-owned railway company, suffered a distributed denial-of-service (DDoS) attack earlier this week. The incident disrupted services for several hours on Tuesday, February 17. The attack affected Deutsche Bahn's website, Bahn.de, and the organization's mobile app, DB Navigator; during the disruption, customers were unable to access train information or purchase tickets online. The company declined to "speculat[e] regarding the background of the attack," and says they "are in close contact with the federal authorities." Deutsche Bahn says the app and website are no longer disrupted as of the morning of Wednesday, February 18.

Researchers at Kaspersky are warning that over 13,700 Android devices worldwide are infected by a new variety of backdoor malware, first disclosed in 2025 and dubbed "Keenadu," that is embedded in the firmware of several device brands. The only brand openly named by Kaspersky is Alldocube, and tablets appear to be the devices primarily targeted, with malware either introduced into libandroid_runtime.so during development or added via over-the-air (OTA) firmware updates; "in all cases ... the firmware files carry valid digital signatures." Malicious apps for smart cameras were another distribution vector, and accumulated over 300,000 downloads before being removed from the Google Play store. "A copy of the backdoor is loaded into the address space of every app upon launch" and may be built directly into critical system utilities such as facial recognition and the launcher app. The backdoor grants attackers "virtually unrestricted control over the victim's device," and exploitation has included conducting ad fraud, hijacking browsers and search engines, monitoring app installations, and sometimes adding items to online shopping carts. The researchers recommend reinstalling clean firmware from a trusted source, but note that the safest option is replacing the device.

France's Economy Ministry says that a hacker used credentials stolen from a civil servant to access a national bank account database, compromising details of 1.2 million accounts. The compromised data include account holder names, account numbers, and tax identification numbers. The National Bank Accounts File (FICOBA) holds information on all French bank accounts; the database contains information on more than 80 million individuals. The intruders reportedly had access to the database since late January; the incident was disclosed on Wednesday, February 18. The Directorate General of Public Finances (DGFiP), which operates FICOBA, says individuals whose accounts were compromised will receive notifications over the next few days.

Polish authorities from the country's Central Bureau for Combating Cybercrime (CBZC) have arrested an individual in connection with the Phobos ransomware group. The man was arrested following a raid of his apartment, where officers discovered devices containing account credentials, payment card data, server IP addresses, and other information that could be used to launch cyberattacks, including ransomware. The man allegedly contacted the Phobos ransomware group through encrypted messaging. He "was charged with the crime of creating, acquiring, and sharing computer programs used to unlawfully obtain information, including data enabling unauthorized access to information stored in a computer system (Article 269b § 1 of the Penal Code)" and could face up to five years in prison.

Authorities in 16 African countries have arrested 651 people and recovered more than US $4.3 million in fraudulently obtained funds during a two-month international operation dubbed Operation Red Card 2.0. The operation, which ran from December 8, 2025 through January 30, 2026, "targeted the infrastructure and actors behind high-yield investment scams, mobile money fraud and fraudulent mobile loan applications." In all, the schemes were responsible for more than US $45 million in losses. Authorities seized thousands of devices and took down infrastructure related to scams and fraud schemes that employed phishing, identity theft, social engineering, and infiltration of the internal platform of a major telecommunications provider through compromised staff login credentials. INTERPOL provided support for Operation Red Card 2.0 "through critical intelligence sharing, real-time information exchange and capacity-building activities, including training on digital forensic tools." INTERPOL notes that the operation was conducted under the African Joint Operation against Cybercrime (AFJOC), an initiative funded by the UK’s Foreign, Commonwealth & Development Office.

The Cybersecurity and Infrastructure Security Agency (CISA) added six flaws to the Known Exploited Vulnerabilities (KEV) catalog this week. The newly-added CVEs are a server-side request forgery (SSRF) Vulnerability in GitLab (CVE-2021-22175); a use-after free vulnerability in Google Chromium CSS (CVE-2026-2441); a remote code execution vulnerability in Microsoft Windows Video ActiveX Control (CVE-2008-0015); an unrestricted upload of file with dangerous type vulnerability in TeamT5 ThreatSonar Anti-Ransomware (CVE-2024-7694); and a server-side request forgery vulnerability in Synacor Zimbra Collaboration Suite (CVE-2020-7796). All six flaws have Federal Civilian Executive Branch (FCEB) agency mitigation deadlines of March 10 or 1. A hard-coded credentials vulnerability in Dell RecoverPoint for Virtual Machines (RP4VMs) (CVE-2026-22769), was added with a three-day FCEB mitigation deadline, and is described in greater detail in its own item in today's NewsBites.