It is 2026. We are living in the age of Agentic AI-- which is mostly just a bunch of expensive, over-hyped algorithms making confidently wrong decisions at the speed of light. We're "on the cusp" of quantum-resistant encryption, and cars mostly drive themselves, provided the remote pilot in a different time zone hasn't fallen asleep at their desk. Yet, here I am, opening a blank document to write about hard-coded credentials in Apache Tomcat. Again.
I feel like I'm trying to explain subnetting to someone using an actual abacus. No, it's worse. It's like walking into a state-of-the-art, multi-million dollar surgical suite and finding out the head surgeon "sterilizes" his scalpels by dipping them in a bucket of lukewarm pond water-- don't worry about the floating green bits, that's what makes it special. It is a level of institutional idiocy that is physically painful to contemplate, but I'm going to try.
Mandiant just dropped a report on a zero-day (CVE-2026-22769) being exploited by a PRC-nexus threat actor. The target? Dell RecoverPoint for Virtual Machines. The culprit? Hard-coded default credentials for the Tomcat Manager.
Read that again. Hard-coded. Default. Credentials. In an enterprise-grade protection and recovery appliance. In 2026. I'm sure you can hear my sigh from here.
Let's wade into the swamp, green bits and all. We are talking about Apache Tomcat. If you've been in this industry longer than a cup of coffee, you know Tomcat. It's the "old, reliable workhorse" of the early 2000s, which is a polite way of saying it's a three-legged mule with a meth habit. It has been responsible for more "oh shit" moments than almost any other middleware in history. It belongs in a museum-- right next to the Zip drive and the AOL trial CD-- or better yet, thrown into a lead-lined coffin and yeeted into the core of the earth.
But here we have Dell-- a company that "definitely" knows better-- not just using it, but shipping it as a core component of a modern virtual appliance. It's like buying a brand-new Ferrari and finding out the fuel pump is actually just a guy in the trunk with a modified turkey baster and a really optimistic attitude. Keep up the great work Lorenzo, I wouldn't be able to do it without you!
This thing has spent the last two decades being the poster child for security engineering via shrug. Remember Ghostcat (CVE-2020-1938)? We spent weeks patching a flaw that allowed anyone to read arbitrary files just because the AJP connector was enabled by default and trusted everything it touched like a naive golden retriever. Good boy!
Or CVE-2017-12617, where you could get Remote Code Execution (RCE) simply by adding a trailing slash to a URL. "Oh, you want to upload a web shell? Sure, just add a / at the end and we'll bypass every security check we have. We wouldn't want to be inconvenient!"
Then there was CVE-2019-0232, where the CGI Servlet was so badly implemented on Windows that you could run arbitrary commands because Tomcat couldn't figure out how to handle a command line. It's a recurring nightmare that we keep waking up in, only to realize the bed is on fire and the fire extinguisher is also made of Tomcat.
The Mandiant report points out that the admin credentials for this Dell mess were just sitting there in tomcat-users.xml. This isn't a "sophisticated" attack. This isn't some nation-state wizardry involving zero-click Pegasus-style exploits. This is a "I found the key under the mat and the mat says 'KEYS LOCATED UNDER ME!'" level of failure.
The threat actors-- UNC6201-- didn't have to be geniuses. They just had to be patient enough to check the digital equivalent of a password written by the Pepsi Sky Writers over their head. Once they were in? Game over. They deployed malicious WAR files, dropped backdoors like GRIMBOLT (which, ironically, is written in modern C# AOT-- apparently the hackers have better development standards than Dell), and started frolicking through VMware infrastructure like they owned the lease. Because, for all intents and purposes, they did-- nice spin and twirl there guys!
It is absolutely jaw-dropping. We spend millions on EDR, XDR, and "threat hunting" tools while the front door is being held open by a hard-coded password from the Clinton administration. The fact that someone at Dell didn't understand why this was bad is a characteristic of how deep the stupidity goes.
Look, if you're running RecoverPoint, you already know what you need to do: patch it, hide it, and pray you aren't already a footnote in a Mandiant report. But the bigger point is this: we have to stop accepting "it's just legacy code" as an excuse for being lazy. If a multi-billion dollar company is still shoving Tomcat into their "modern" tech stack and leaving the back door unlocked, they need to be shamed for it. Loudly.
We can't build a 2026 security posture on 1996 foundations. It's time to stop pretending that's okay. Otherwise, I'll be sitting here in 2036 writing a post about how a Martian colony got wiped out because someone left VNC running on a Windows 95 box for "administration."
Anyway, I'm just going to go live in the woods. No computers. Just me and the bears. At least the bears are honest about wanting to rip my face off.