Uptick in Bomgar RMM Exploitation

Huntress SOC observed an uptick in active exploitation of vulnerable BeyondTrust/Bomgar RMM (CVE-2026-1731) from February through April 2026 where attackers leveraged compromised RMM instances—particularly those of MSPs and service providers—to perform account compromise and privilege escalation, deploy additional remote management tools (AnyDesk, Atera, ScreenConnect), and deliver LockBit ransomware to multiple downstream organizations; the report provides timelines, TTPs, IOCs (hashes, IPs, email, driver names), and remediation guidance.