A fresh wave of cyberattacks has exploited Bomgar RMM instances across organisations and their customers over the past two weeks, underscoring the rapid downstream risk to unpatched supply chains. According to Huntress Security Operations Center, there has been a sharp uptick in exploitation leveraging the unauthenticated remote code execution flaw CVE-2026-1731 in BeyondTrust’s Bomgar Remote Support and older PRA versions.
The latest incidents show attackers moving quickly from initial compromise to spread across the supply chain, with one attack on 3 April affecting a dental software company and three downstream firms, and another on 15 April impacting a managed service provider that led to the mass isolation of 78 businesses and exploitation across four downstream customers.
Some campaigns deployed tools such as AnyDesk and Atera for persistence, and in at least one case, LockBit ransomware was deployed, with defenders urged to patch vulnerable systems and monitor for suspicious Bomgar activity. The report notes that threat actors target high-privilege Bomgar accounts within MSP environments and push access tools onto domain controllers to entrench and expand laterally.