Uncle Sam's cyber defenders have given federal agencies just three days to patch a maximum-severity Dell bug that's been under active exploitation since at least mid-2024.

CISA this week added the flaw, tracked as CVE-2026-22769, to its Known Exploited Vulnerabilities catalog, ordering civilian agencies to secure affected systems by February 21 – giving them just three days to get fixes in place.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned, underscoring the urgency behind the unusually tight remediation window.

The bug affects Dell RecoverPoint for Virtual Machines and stems from hardcoded credentials that can allow attackers to gain unauthorized access. Dell disclosed and patched the issue earlier this week, noting that criminals had already been exploiting it before a fix was available.

"We have received a report of limited active exploitation of this vulnerability," a Dell spokesperson told The Register at the time, urging customers to get the recommended mitigations in place pronto.

Researchers say the bug quickly found its way into a broader espionage playbook tied to suspected China-nexus operators. According to Google's Mandiant incident response team, miscreants have exploited the vulnerability since at least mid-2024 to move laterally across networks, maintain persistence, and deploy a range of malware families.

• Texas sues TP-Link over China links and security vulnerabilities
• China-linked snoops have been exploiting Dell 0-day since mid-2024, using 'ghost NICs' to avoid detection
• Attackers finally get around to exploiting critical Microsoft bug from 2024
• Were telcos tipped off to *that* ancient Telnet bug? Cyber pros say the signs stack up

Among the tools seen in the wild are the Brickstorm backdoor and a newer implant called Grimbolt, which, in some cases, has been swapped in for older malware. Researchers also spotted attackers spinning up so-called "Ghost NICs" on virtual machines to quietly pivot around compromised environments without tripping alarms.

A cluster tracked as UNC6201 has used the flaw to deploy multiple payloads, including Slaystyle, Brickstorm, and Grimbolt, during long-running intrusions, according to Mandiant. The firm says it knows of fewer than a dozen confirmed victims so far, though the true number could be higher.

Mandiant says the activity shares some hallmarks with Silk Typhoon, a Chinese state-backed espionage crew known for targeting government agencies and previously tied to breaches involving custom malware. The group has repeatedly exploited zero-day bugs to break into sensitive networks, including US federal systems.

The latest directive continues a pattern of rapid-fire patch orders from CISA as it tries to shrink the window between disclosure and remediation for actively exploited bugs. Just last week, the agency similarly gave federal agencies three days to lock down BeyondTrust Remote Support instances against a separate remote code execution flaw.

When CISA slaps a bug on the KEV list with a three-day deadline, it's less a gentle reminder and more a flashing neon sign that says patch now, ask questions later. ®