Bomgar RMM Flaw CVE-2026-1731 Enables Ransomware Supply Chain Attacks

Security researchers have identified a critical remote code execution vulnerability (CVE-2026-1731) in Bomgar Remote Monitoring and Management (RMM) software that threat actors are actively exploiting to deploy ransomware and compromise enterprise supply chains. The flaw, rated critical with a CVSS score of 9.8, affects multiple versions of Bomgar's remote support and privileged access management solutions, potentially exposing thousands of organizations worldwide to remote takeover attacks. Initial exploitation was observed in late 2025, with multiple ransomware-as-a-service operations leveraging the vulnerability to gain initial access to managed service provider (MSP) environments and their downstream customers. The vulnerability resides in the software's authentication mechanism, allowing unauthenticated attackers to execute arbitrary code with SYSTEM-level privileges on targeted endpoints.

The attack chain typically involves sending specially crafted HTTP requests to vulnerable Bomgar Central or Bomgar Premium instances, exploiting insufficient input validation in the remote support session initialization process. Once compromised, attackers leverage the RMM tool's legitimate administrative capabilities to move laterally across connected networks, deploy ransomware payloads such as BlackCat/ALPHV and LockBit variants, and establish persistent backdoors for continued access. Security firm Mandiant, which contributed to the vulnerability disclosure, noted that multiple nation-state threat actors have incorporated this exploit into their initial access toolkits, amplifying the supply chain risk. The vulnerability is particularly dangerous because RMM tools inherently possess high trust levels within enterprise networks, granting operators broad access to sensitive systems and data.

Organizations utilizing Bomgar RMM solutions are urged to immediately apply the vendor's emergency patches, which address both the RCE vulnerability and related privilege escalation issues. Until patching is feasible, administrators should implement network segmentation, restrict internet-facing Bomgar instances, enable enhanced logging, and deploy additional monitoring for anomalous remote support sessions. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1731 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to remediate the flaw by the specified deadline. This incident underscores the growing risk posed by RMM tools as attack vectors, with similar vulnerabilities in ConnectWise ScreenConnect and BeyondTrust Privileged Remote Access being exploited in recent supply chain attacks.