Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk

# Supply Chain Alert: Surge in Bomgar RMM Exploitation Exposes Widespread Risk to Managed Service Providers

A significant uptick in exploitation attempts targeting Bomgar Remote Management and Monitoring (RMM) software has exposed a critical vulnerability in IT service delivery infrastructure. Security researchers and incident responders are warning that the surge represents more than isolated technical compromises—it demonstrates a fundamental supply chain risk that threatens organizations across every sector.

Bomgar, a widely deployed RMM platform used by managed service providers (MSPs), IT departments, and system administrators, is a trusted gateway to thousands of corporate networks. When such tools are compromised, the fallout extends far beyond the immediate target to every customer and client relying on the MSP or IT team using the software.

## The Threat

The recent exploitation wave targeting Bomgar has involved multiple attack vectors, with threat actors leveraging known vulnerabilities and potential zero-day exploits to gain remote access to systems managed through the platform. Security teams report seeing attackers move laterally from compromised Bomgar installations into customer networks, establishing persistent access and exfiltrating sensitive data.

Key characteristics of the current threat landscape:

Widespread targeting: Both commodity and sophisticated threat actors are actively scanning for vulnerable Bomgar instances

Post-exploitation capabilities: Attackers are using compromised Bomgar access to deploy additional payloads, establish backdoors, and move laterally across networks

Minimal detection: Many organizations lack visibility into Bomgar administrative activity, making breaches difficult to detect before significant damage occurs

Supply chain amplification: A single compromised MSP can affect hundreds of downstream customers

Security vendors have documented active exploitation in the wild, with some attacks appearing automated and others showing signs of manual, targeted operations by well-resourced threat actors.

## Background and Context

Bomgar (now part of the broader BeyondTrust portfolio following a rebrand to BeyondTrust Remote Support) occupies a critical position in enterprise IT architecture. The platform provides remote access and support capabilities that IT teams and MSPs depend on for:

Patching and updating systems across distributed networks

Troubleshooting end-user devices and servers

Accessing secure systems for administrative tasks

Providing vendor support and emergency response

This trusted access model makes Bomgar an attractive target. An attacker who compromises Bomgar credentials or exploits a vulnerability gains the same level of system access that legitimate IT administrators possess—which is often broad and unfettered.

Why RMM tools matter in the supply chain:

RMM platforms represent a critical junction point in modern IT infrastructure. MSPs and internal IT teams use these tools to manage thousands of endpoints and servers. A compromise at this junction point is functionally equivalent to an attacker wearing the uniform of a trusted system administrator.

## Technical Details

While specific vulnerabilities vary, recent Bomgar exploitation attempts have leveraged:

Authentication bypass and credential theft: Attackers have targeted weak credential management within Bomgar deployments, using default passwords, leaked credentials, or exploiting authentication mechanisms to gain administrative access.

Known CVE vulnerabilities: Unpatched instances of Bomgar remain vulnerable to publicly disclosed security issues. Organizations that delay applying security updates become low-hanging fruit for attackers using known exploits.

Session hijacking: Some attacks involve intercepting or spoofing Bomgar sessions, allowing attackers to impersonate legitimate administrators without needing valid credentials.

Web interface exploitation: Bomgar's web-based administration console has been a vector for several classes of attacks, including cross-site scripting (XSS), server-side template injection (SSTI), and remote code execution (RCE) vulnerabilities.

Once inside a Bomgar installation, attackers can:

1. Extract administrative credentials and session tokens

2. Pivot to any system the RMM platform can access

3. Deploy malware, ransomware, or persistence mechanisms

4. Exfiltrate data from customer environments

5. Maintain access even after the initial breach is discovered

## Implications for Organizations

The Bomgar exploitation surge highlights several critical risks:

Downstream customer exposure: Organizations that rely on MSPs for IT support may be compromised without their knowledge. An MSP breach can affect dozens, hundreds, or thousands of downstream customers depending on the provider's size.

Supply chain visibility gap: Many organizations lack visibility into the security posture of their MSPs and IT service providers. A breach at the MSP level may go undetected for weeks or months.

Ransomware acceleration: Threat actors who gain access through RMM tools often use that access to deploy ransomware. The speed of deployment and the privileged access level make RMM compromises particularly dangerous in ransomware scenarios.

Regulatory and compliance implications: Organizations using MSPs that experience breaches may face notification requirements, regulatory fines, and compliance violations—despite having no direct responsibility for the MSP's security.

Trust degradation: The breach erodes trust in MSP relationships and forces organizations to reconsider their outsourced IT support model.

## Recommendations

Organizations using Bomgar or similar RMM platforms should take immediate action:

Immediate measures:

Patch urgently: Apply all available security updates to Bomgar installations without delay

Audit access logs: Review Bomgar administrative activity for suspicious logins, privilege escalations, or unusual access patterns

Reset credentials: Force password resets for all Bomgar administrative accounts

Check for persistence: Scan for unauthorized user accounts, API keys, or backdoors that might have been created by attackers

Assess blast radius: Identify all systems and customers that could have been affected if the Bomgar instance was compromised

Short-term hardening:

Network segmentation: Isolate RMM infrastructure on a separate network segment with strict access controls

MFA enforcement: Require multi-factor authentication for all administrative access to Bomgar

Activity monitoring: Deploy logging and alerting for RMM administrative actions

Incident response plan: Develop or update procedures for responding to RMM compromise scenarios

Long-term strategy:

Vendor security assessment: Evaluate the security practices of MSPs and software vendors before engagement

Zero-trust principles: Treat RMM access like any other remote access—require authentication, authorization, and monitoring for every action

Supplier risk management: Implement formal processes for monitoring and managing third-party security risks

Backup and recovery: Maintain offline backups and isolated recovery systems that cannot be accessed through RMM tools

## Conclusion

The surge in Bomgar exploitation reflects a broader category of supply chain risk that extends across enterprise software and IT service delivery. While RMM tools are essential for modern IT operations, their privileged access positions them as high-value targets for threat actors.

Organizations cannot eliminate this risk entirely, but they can significantly reduce their exposure through aggressive patching, access control, monitoring, and vendor risk management. The cost of implementing these controls is minimal compared to the cost of a supply chain breach.

As threat actors continue to target software supply chains and IT infrastructure, organizations must treat their RMM platforms with the same security rigor they apply to their most critical systems.