Exploitation of Bomgar RMM Vulnerability Triggers LockBit Ransomware Surge

Severity: High (Score: 72.6)

Sources: Darkreading, www.techtarget.com, Socprime

Summary

A critical remote code execution vulnerability (CVE-2026-1731) in Bomgar's remote monitoring and management (RMM) tool has led to a significant increase in cyberattacks, particularly involving LockBit ransomware. The flaw, which allows unauthenticated attackers to execute arbitrary commands, was publicly disclosed on February 6, 2026, and has since been exploited to compromise both Bomgar customers and their downstream organizations. Huntress Security reported multiple incidents from February to April 2026, where attackers created high-privilege accounts and deployed additional remote access tools. Notable incidents include the compromise of a dental software company and a managed service provider, affecting numerous downstream clients. Organizations are urged to apply patches for CVE-2026-1731 and enhance monitoring of their RMM environments to mitigate risks. The ongoing exploitation highlights a shift towards targeting RMM tools for lateral movement and ransomware deployment. Key Points: • CVE-2026-1731 allows unauthenticated remote code execution in Bomgar RMM. • Recent attacks have led to the deployment of LockBit ransomware across multiple organizations. • Organizations are advised to patch vulnerable systems and monitor for unauthorized activity.

Key Entities

• Phishing (attack_type)
• Ransomware (attack_type)
• Supply Chain Attack (attack_type)
• CVE-2026-1731 (cve)
• CWE-94 - Code Injection (cwe)
• Government (industry)
• T1021 - Remote Services (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1136 - Create Account (mitre_attack)
• Bomgar (platform)
• Atera (platform)
• Lockbit (ransomware_group)
• AnyDesk (tool)
• Bomgar-scc.exe (tool)
• HRSword (tool)
• NetScan (tool)