Active exploitation of Dell RecoverPoint zero-day by China-linked actors; KEV adds four exploited CVEs; APIs emerge as top exploited surface

Prioritize emergency patching/mitigation of Dell RecoverPoint appliances due to confirmed in-the-wild exploitation by China-linked espionage actors, review CISA KEV’s four newly added actively exploited CVEs for immediate remediation, and expand monitoring on

Observed facts: Two independent reports say a zero-day in Dell RecoverPoint is being actively exploited by China-linked threat actors to deploy malware [1][4]. CISA’s KEV update adds four CVEs under confirmed active exploitation, signaling urgent patching priority [2]. New research highlights APIs as the most exploited

What Changed

Two outlets report active exploitation of a zero-day in Dell RecoverPoint by China-linked actors, with malware installation on targeted systems [1][4].
CISA updated the Known Exploited Vulnerabilities (KEV) catalog with four additional CVEs confirmed under active exploitation, raising immediate remediation priority for affected products [2].
New research indicates APIs are currently the most exploited attack surface, shifting risk toward application and integration layers that underpin many critical infrastructure workflows [3].

Observed facts:

SecurityWeek: Dell RecoverPoint zero-day exploited by a Chinese cyberespionage group [1].
Cyber Press: Same Dell zero-day actively abused to install malware by China-linked threat actors [4].
The Hacker News: CISA flags four security flaws as actively exploited in latest KEV update [2].
Martechseries: Research finds APIs are the single most exploited attack surface [3].

Cross-Source Inference

Attribution coherence and activity scope: The overlap between SecurityWeek and Cyber Press supports that the same Dell RecoverPoint zero-day is under active exploitation with malware deployment by China-linked espionage actors, indicating an intelligence-collection/persistence objective more than monetization [1][4]. Confidence: medium (two sources concur but lack detailed IOCs and victim scope).
Critical-infrastructure exposure: RecoverPoint’s role in storage replication/recovery suggests potential impact on data integrity, availability, and disaster recovery paths if compromised; pairing this with KEV additions implies defenders must triage storage/backup and edge-management systems alongside commonly targeted gateways [1][2][4]. Confidence: medium (product function is known generally; victim verticals not specified).
Tradecraft trend: The pairing of an exploited storage/replication zero-day with research showing APIs as the most exploited surface implies adversaries are emphasizing control planes and data-movement interfaces (replication, orchestration APIs) to gain durable access and exfil paths [1][3][4]. Confidence: medium (trend evidence from research plus current case alignment, but limited technical specifics here).
Prioritization for patching: CISA’s KEV update signals confirmed exploitation; when combined with the Dell case, immediate focus should be on known-exploited CVEs in the KEV plus the RecoverPoint zero-day where patches or interim mitigations are available [1][2][4]. Confidence: high (KEV is exploitation-confirmed; two-source corroboration on Dell exploitation).

Implications and What to Watch

Short-term risk: Elevated likelihood of stealthy persistence and data-theft on storage/backup infrastructure; potential disruption to recovery processes if malware lodges in replication paths [1][4]. Monitor for anomalous replication events and unauthorized management actions. Confidence: medium.
Sectoral exposure: Operators with significant data-replication dependencies (healthcare, energy, manufacturing, and public sector) face heightened espionage risk profiles if using affected products [1][3][4]. Confidence: low-to-medium (no victim list provided; inference based on common usage).
Defensive priorities (immediate):
Apply vendor patches/workarounds for Dell RecoverPoint when available; restrict management interfaces to admin networks; increase logging on replication/management APIs [1][4].
Remediate KEV-listed CVEs rapidly per CISA guidance; deploy compensating controls where patching is delayed [2].
Harden API gateways and service-to-service auth; enforce least-privilege tokens and anomaly detection on high-risk API methods [3]. Confidence: high for KEV urgency; medium for API controls linkage.
What to watch next:
Vendor advisories/hotfixes and IOCs for the RecoverPoint zero-day; any CISA/FBI joint alerts that expand attribution and TTPs [1][2][4].
Evidence of lateral movement from storage/replication layers into domain controllers or cloud backups (would strengthen assessment of strategic persistence) [1][4].
Further empirical data quantifying API abuse in industrial and enterprise settings to refine control prioritization [3].

PushMe Intelligence