Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk
Attackers are actively exploiting a critical unauthenticated RCE vulnerability in BeyondTrust Remote Support (Bomgar) to deploy LockBit ransomware and compromise downstream clients via MSP supply chains.
A fresh wave of cyberattacks exploiting Bomgar remote monitoring and management (RMM) instances has hit various organizations and their customers over the past two weeks, sparking concerns about further attacks on unpatched systems that can have a rapid downstream effect on the supply chain.
Researchers at Huntress Security Operations Center (SOC) observed what they call "a sharp uptick" in exploitation activity targeting Bomgar Remote Support (now part of BeyondTrust), with attackers reaching systems through a critical unauthenticated remote code execution (RCE) flaw, CVE-2026-1731, according to a recent blog post from the team.
"This most recent uptick in Bomgar-related incidents follows an initial wave of attacks observed by the SOC in February, when CVE-2026-1731 was first disclosed," Huntress tactical response analyst Josh Allman wrote in the post. The flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA) allows unauthenticated attackers to craft requests that can execute arbitrary operating system commands remotely.
The recent spate of attacks demonstrates how quickly attackers can use the initial compromise to move to other organizations and quickly spread across the supply chain. For example, one attack on April 3 compromised a dental software company and affected three downstream companies. Another attack on April 15 affected a managed service provider (MSP) and "led to the mass isolation of 78 businesses and subsequent exploitation across four downstream customers," Allman wrote.
"Targeting the server running the RMM appliance is like getting the key to the city," he tells Dark Reading via email. "Once they have access to this upstream server, the attacker has access to all the downstream clients." This is especially dangerous when it's a software vendors support client or an IT providers clients, as they will have hundreds, if not thousands, of clients across multiple organizations the attacker gets access to by just exploiting the server, Allman adds.
Some of the incidents involved the deployment of LockBit ransomware, while in others attackers engaged in reconnaissance, privilege escalation, the execution of other RMMs such as AnyDesk and Atera, and other malicious activity. In ransomware deployments, Huntress believes the threat actors used the previously leaked LockBit 3.0 builder, Allman noted in the report.
Overall, the recent incidents demonstrate threat actors' continued shift toward exploiting RMMs rather than using traditional malware. This type of compromise of tools that are nearly ubiquitous in enterprise environments gives them a stealthy and efficient way to compromise not only organizations but also move laterally to their customers and partners for further attacks.
Given that the attack entry point is a known vulnerability and that the incidents are ongoing, they demonstrate once again how important it is for organizations to patch vulnerable systems, which is the first recommendation Huntress made to avoid compromise. And with the recent surge in interest by attackers in exploiting RMMs — particularly for the deployment of ransomware — patching these systems is especially important.