Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk

CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY REMOTE WORKFORCE THREAT INTELLIGENCE NEWS Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk The critical remote code execution flaw (CVE-2026-1731) in the remote monitoring and management tool can be exploited to spread ransomware and compromise supply chains. Elizabeth Montalbano,Contributing Writer April 21, 2026 5 Min Read SOURCE: ART PARTNER IMAGES VIA ALAMY STOCK PHOTO A fresh wave of cyberattacks exploiting Bomgar remote monitoring and management (RMM) instances has hit various organizations and their customers over the past two weeks, sparking concerns about further attacks on unpatched systems that can have a rapid downstream effect on the supply chain. Researchers at Huntress Security Operations Center (SOC) observed what they call "a sharp uptick" in exploitation activity targeting Bomgar Remote Support (now part of BeyondTrust), with attackers reaching systems through a critical unauthenticated remote code execution (RCE) flaw, CVE-2026-1731, according to a recent blog post from the team. "This most recent uptick in Bomgar-related incidents follows an initial wave of attacks observed by the SOC in February, when CVE-2026-1731 was first disclosed," Huntress tactical response analyst Josh Allman wrote in the post. The flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA) allows unauthenticated attackers to craft requests that can execute arbitrary operating system commands remotely. Related:Chinese APT Targets Indian Banks, Korean Policy Circles "Keys to the Kingdom" The recent spate of attacks demonstrates how quickly attackers can use the initial compromise to move to other organizations and quickly spread across the supply chain. For example, one attack on April 3 compromised a dental software company and affected three downstream companies. Another attack on April 15 affected a managed service provider (MSP) and "led to the mass isolation of 78 businesses and subsequent exploitation across four downstream customers," Allman wrote.  "Targeting the server running the RMM appliance is like getting the key to the city," he tells Dark Reading via email. "Once they have access to this upstream server, the attacker has access to all the downstream clients." This is especially dangerous when it's a software vendors support client or an IT providers clients, as they will have hundreds, if not thousands, of clients across multiple organizations the attacker gets access to by just exploiting the server, Allman adds. Some of the incidents involved the deployment of LockBit ransomware, while in others attackers engaged in reconnaissance, privilege escalation, the execution of other RMMs such as AnyDesk and Atera, and other malicious activity. In ransomware deployments, Huntress believes the threat actors used the previously leaked LockBit 3.0 builder, Allman noted in the report. RMMs Under Attack Overall, the recent incidents demonstrate threat actors' continued shift toward exploiting RMMs rather than using traditional malware. This type of compromise of tools that are nearly ubiquitous in enterprise environments gives them a stealthy and efficient way to compromise not only organizations but also move laterally to their customers and partners for further attacks. Related:'Harmless' Global Adware Transforms Into an AV Killer Huntress observed five recent incidents attacking Bomgar RMM instances in the past two weeks, starting with the one on April 3 that dropped Atera for persistence. Another attack on April 5 also used an RMM — AnyDesk — for persistence, conducted enumeration activities, and added the user to the Local/Domain admin groups. An attack on April 12 was the first of these recent attacks to deploy LockBit ransomware, with analysts observing "a rogue Bomgar RMM instance being used to gain access to endpoints, which resulted in successful ransomware execution on the network," Allman wrote. "Here, we also saw threat actors use the rogue RMM instance to create and add a new user to the Local Administrators Group," he added. There were two separate attacks on April 14, with threat actors deploying an RMM in both — AnyDesk in one instance and Atera in the other. Both attacks also saw the threat actors adding users to admin groups, pointing to a show of persistence on the network, Allman noted. The attack that used AnyDesk also deployed LockBit ransomware.  Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs Overall, the attacks demonstrated a pattern of actors targeting high-privilege Bomgar accounts within MSP environments and pushing access tools directly onto domain controllers, according to Huntress. From there, they can entrench themselves and expand laterally into customer networks with minimal resistance. Defenders, Take Immediate Action Given that the attack entry point is a known vulnerability and that the incidents are ongoing, they demonstrate once again how important it is for organizations to patch vulnerable systems, which is the first recommendation Huntress made to avoid compromise. And with the recent surge in interest by attackers in exploiting RMMs —particularly for the deployment of ransomware — patching these systems is especially important. And though it's unclear who's behind the attacks, which Huntress did not reveal in its report, there has been a previous connection between the Lockbit ransomware gangs and the use of RMMs to spread their foothold in a victim network. Several years ago, a spate of attacks by a LockBit affiliate either took advantage of exposed RMM instances, or used their own RMM during the attack to cement the group's footing in victim networks. These attacks also demonstrated how threat actors are bypassing malware in favor of using RMM tools or other living off the land (LotL) tactics to make it more difficult for security professionals and analysts to detect malicious activity. That's yet another reason for defenders to monitor closely for suspicious activity related to the malicious use of legitimate RMMs in their environments, according to Huntress. Other ways to do this are to monitor for unauthorized administrator accounts and for unexpected RMM tool deployment, and to investigate suspicious activity tied to Bomgar processes. Huntress also included a list of indicators of compromise (IOCs), including various executables, used in the attacks that its SOC observed to help defenders analyze if they've been affected and need to take conduct mitigations.  About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE