Wave of Bomgar Exploitation Puts Downstream Clients at Risk
Over the past two weeks, organizations and their customers have been hit by a fresh wave of cyberattacks exploiting vulnerable Bomgar remote monitoring and management (RMM) instances. The activity has raised urgent concerns about further attacks on unpatched systems and the rapid downstream effects such compromises can have across the supply chain.
Researchers at the Huntress Security Operations Center (SOC) documented what they describe as "a sharp uptick" in exploitation activity targeting Bomgar Remote Support — now part of BeyondTrust — with attackers leveraging a critical unauthenticated remote code execution (RCE) vulnerability tracked as CVE-2026-1731, according to a blog post published by the team.
Huntress tactical response analyst Josh Allman wrote in the post: "This most recent uptick in Bomgar-related incidents follows an initial wave of attacks observed by the SOC in February, when CVE-2026-1731 was first disclosed." The flaw affects BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA) product, permitting unauthenticated attackers to craft malicious requests that execute arbitrary operating system commands remotely.
"Keys to the Kingdom": How One Compromised Server Unlocks Hundreds of Clients
The recent spate of incidents illustrates how swiftly a single successful intrusion can ripple through an entire supply chain. In one notable example, an attack on April 3 compromised a dental software company and had downstream consequences for three separate organizations. A subsequent attack on April 15 struck a managed service provider (MSP) and, according to Allman, "led to the mass isolation of 78 businesses and subsequent exploitation across four downstream customers."
Allman explained the significance to Dark Reading via email: "Targeting the server running the RMM appliance is like getting the key to the city. Once they have access to this upstream server, the attacker has access to all the downstream clients." He added that when the victim is a software vendor's support client or an IT provider's client base, hundreds or even thousands of organizations can be exposed through the exploitation of a single server.
Attack Timeline: Five Incidents in Two Weeks
Huntress tracked five separate incidents targeting Bomgar RMM instances during the two-week observation window:
- April 3: An attack that dropped the Atera RMM tool to establish persistence, also compromising a dental software company and affecting three downstream clients.
- April 5: Attackers deployed AnyDesk for persistence, conducted enumeration activities, and added the compromised user to Local and Domain administrator groups.
- April 12: The first incident in this recent wave to deploy LockBit ransomware. Analysts observed a rogue Bomgar RMM instance being used to access endpoints, resulting in successful ransomware execution across the network. Threat actors also created a new user and added them to the Local Administrators Group.
- April 14 (Incident 1): Attackers deployed AnyDesk and also executed LockBit ransomware, while adding users to administrator groups.
- April 14 (Incident 2): A separate attack on the same date used Atera for persistence and similarly added users to admin groups.
In the ransomware deployments, Huntress believes the threat actors used the previously leaked LockBit 3.0 builder, as Allman noted in his report. The identity of the threat actors has not been publicly disclosed by Huntress.
Ransomware, Reconnaissance, and Living Off the Land
The attacks varied in their final objectives. Some incidents culminated in LockBit ransomware deployment, while others involved reconnaissance, privilege escalation, and the installation of additional RMM tools such as AnyDesk and Atera. Across all five incidents, a consistent pattern emerged: threat actors targeted high-privilege Bomgar accounts within MSP environments and pushed access tools directly onto domain controllers, enabling them to entrench themselves and expand laterally into customer networks with minimal friction.
There is historical precedent for this type of activity. Several years ago, a LockBit affiliate conducted a series of attacks that either took advantage of exposed RMM instances or deployed their own RMM tools to consolidate a foothold within victim networks. The current wave reflects an ongoing and broader industry trend: threat actors are increasingly abandoning traditional malware in favor of exploiting RMM platforms and employing living-off-the-land (LotL) tactics. By abusing legitimate tools that are nearly ubiquitous in enterprise environments, attackers can operate more stealthily and make it significantly harder for security professionals and analysts to distinguish malicious activity from routine administrative work.
Why RMMs Make Such Attractive Targets
Remote monitoring and management tools occupy a uniquely privileged position in IT infrastructure. They are designed to provide broad, trusted access across entire client environments — precisely the characteristics that make them so valuable to attackers. When an MSP or software vendor's RMM appliance is compromised, the attacker effectively inherits that vendor's access to every organization it supports. This makes the supply chain risk inherent in RMM exploitation fundamentally different from the compromise of a single endpoint or workstation.
The incidents documented by Huntress underscore how rapidly an attacker can move from initial access on a single Bomgar server to widespread impact across dozens of unrelated organizations, as the April 15 attack affecting 78 businesses demonstrates.
Recommended Defensive Actions
Given that CVE-2026-1731 is a known, disclosed vulnerability and that active exploitation is ongoing, Huntress emphasized the critical importance of patching affected BeyondTrust systems immediately. The firm offered several additional defensive recommendations for organizations and their security teams:
- Patch immediately: Apply available fixes for CVE-2026-1731 in BeyondTrust Remote Support and Privileged Remote Access without delay.
- Monitor for unauthorized administrator accounts: Watch for newly created or modified accounts being added to Local or Domain administrator groups.
- Detect unexpected RMM tool deployment: Alert on the presence of RMM tools such as AnyDesk or Atera that were not sanctioned or expected within the environment.
- Investigate suspicious Bomgar process activity: Review logs and telemetry associated with Bomgar processes for anomalous behavior.
- Review indicators of compromise (IOCs): Huntress published a list of IOCs — including various executables observed across the five incidents — to help defenders determine whether their environments have been affected and to guide mitigation efforts.
Defenders are also advised to implement close monitoring for any signs of malicious use of legitimate RMM tools, a tactic that is becoming increasingly prevalent as threat actors look for ways to blend in with normal network operations and avoid triggering traditional security controls.
The ongoing nature of these attacks, combined with their demonstrated ability to cascade rapidly through supply chains, makes CVE-2026-1731 one of the more pressing vulnerabilities currently being actively exploited in the wild.
Source: Dark Reading