top of page
Search

CISA Just Dropped a KEV on RecoverPoint. People Are Still Using RecoverPoint.

  • Writer: Patrick Duggan
    Patrick Duggan
  • Mar 4
  • 4 min read

The Zombie That Won't Die



On March 3, 2026, CISA added CVE-2026-22769 to the Known Exploited Vulnerabilities catalog. The product: Dell RecoverPoint for Virtual Machines. The remediation deadline: three days.


Three days. That's what CISA gives you when the vulnerability is being actively exploited in the wild and the product is critical enough that federal agencies are running it.


RecoverPoint for VMs. A product Dell has been trying to kill for years. End of life announced. Customers told to migrate to Veeam or Zerto. Dell's own documentation says stop using this.


And enough organizations are still running it in production that CISA had to issue a federal directive to patch it.


How This Happens



I was embedded at Microsoft for the JEDI contract. Worked on Azure Stack with Spencer Shepler, designed the disk presentation layer. I've seen how enterprise infrastructure decisions get made — and more importantly, how they don't get unmade.


Here's the lifecycle of a product like RecoverPoint:


1. EMC sells it in 2014. Three-year contract. Enterprise pricing. Professional services engagement. Training for the ops team.

2. Dell buys EMC in 2016 for $67 billion. RecoverPoint is now a Dell product that Dell didn't build and doesn't want.

3. Dell announces EOL in 2020-ish. Tells customers to migrate. Provides a migration path that requires buying another Dell product or a partner's product.

4. The ops team that was trained on RecoverPoint in 2014 doesn't want to retrain. The budget for migration gets deprioritized. The product still works. Nobody touches it.

5. It's 2026. The product is a zombie. No meaningful updates. Skeleton crew maintenance. And it's protecting VM backups for organizations that include federal agencies.

6. Someone finds a vulnerability. Weaponizes it. CISA drops a KEV.

7. The ops team that's been running RecoverPoint for 12 years now has three days to either patch or rip and replace.


This is not a RecoverPoint problem. This is an enterprise infrastructure problem. Every organization has at least one RecoverPoint — a product that's EOL, unsupported, running in production, and holding something critical hostage because nobody wanted to spend the money or the political capital to migrate.


The Irony Is Structural



RecoverPoint is a *recovery* product. Its job is to protect your VMs so you can restore them after a disaster.


A vulnerability in RecoverPoint means your disaster recovery infrastructure is the disaster. The thing you're counting on to save you is the thing that gets you compromised.


This is the same structural irony we wrote about yesterday in "Your Security Vendor Has Root." CrowdStrike was supposed to protect endpoints — and it bricked 8.5 million of them. RecoverPoint was supposed to recover VMs — and now it's the attack vector.


The pattern: the product designed to protect you requires more access than most threats need, and when that product fails, the blast radius is catastrophic because it touches everything it was supposed to protect.


What's Actually in the CVE



CVE-2026-22769 targets RecoverPoint for Virtual Machines (RP4VMs). CISA gave it a February 21 due date — three days from the February 18 catalog addition. That's the shortest remediation window CISA issues, reserved for vulnerabilities that are actively being exploited and affect critical systems.


The same day, CISA also added CVE-2021-22175 for GitLab — a five-year-old vulnerability that's still being exploited. And CVE-2020-7796 for Zimbra Collaboration Suite — six years old.


Three KEVs on the same day. Two of them are for vulnerabilities older than some junior engineers' careers. The third is for a product the vendor has been trying to kill for half a decade.


This is the state of enterprise infrastructure security in 2026.


The Dell-EMC Graveyard



Dell bought EMC for $67 billion. Here's what that bought them:


A storage empire built on VNX, VMAX, Isilon, Data Domain, RecoverPoint, Avamar, NetWorker, and a dozen other products that Fortune 500 companies welded into their infrastructure and refuse to remove.


Each of those products has an ops team that trained on it, a budget that funds it, a change advisory board that blocks modifications to it, and a vendor relationship that technically ended years ago. They're all running. They're all targets. And they're all one CVE away from a CISA directive with a three-day clock.


Dell's answer is "migrate to PowerStore" or "migrate to APEX." The customer's answer is "it still works." Both are correct. Neither is safe.


What This Means For You



If you're running RecoverPoint for VMs: patch CVE-2026-22769 immediately. Not tomorrow. Now. CISA doesn't give three-day deadlines for theoretical risks.


If you're running any EMC-era product that Dell has EOL'd: assume you have the same problem. Check the KEV catalog. Check your vulnerability scanner. Check if your vendor is even producing patches anymore.


If you're a CISO: audit your estate for zombie products. Every organization has them. The ones you forgot about are the ones that'll burn you, because nobody's watching the advisories for a product they think was decommissioned three years ago.


The scariest infrastructure isn't the stuff you're monitoring. It's the stuff you forgot you're running.





*Her name was Renee Nicole Good.*


*His name was Alex Jeffery Pretti.*

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page