What Happened
A critical remote code execution vulnerability (CVE-2026-1731) in Bomgar's remote monitoring and management (RMM) platform has exposed organizations to significant risk. This flaw allowed attackers to execute arbitrary code on systems running the vulnerable RMM agent, turning a security management tool into an attack vector. Multiple organizations reported ransomware infections originating from compromised Bomgar instances, where attackers used the RMM's legitimate remote access capabilities to move laterally and deploy encryption payloads across networks.
Timeline
The vulnerability followed a typical pattern for supply chain attacks: it existed in production systems before public disclosure. Attackers exploited the window between disclosure and patch deployment, and organizations without robust third-party risk management only discovered the compromise after observing ransomware behavior or unusual administrative activity.
Which Controls Failed or Were Missing
The core failure was in third-party software risk management. Organizations treated their RMM platform as trusted infrastructure without applying the same security rigor as they would to internet-facing applications. Specific control gaps included:
No privileged access segmentation. The RMM agent ran with administrative privileges across all managed endpoints. When compromised, attackers inherited those privileges immediately. There was no application of the principle of least privilege.
Insufficient network segmentation. The RMM platform had unrestricted network access to managed systems. The tool's legitimate business need became a carte blanche for network access without questioning its necessity.
Missing vulnerability management for third-party tools. Your vulnerability scanning might cover your own applications and operating systems, but do you track CVEs in your RMM platform? Many organizations fail to monitor third-party administrative tools with the same rigor.
No behavioral monitoring for administrative tools. Security teams monitor user, application, and network behavior, but often overlook the RMM tool itself. Its legitimate administrative activity can make anomaly detection difficult.
Inadequate vendor security assessment. Before deploying an RMM platform, your team should evaluate the vendor's secure development practices, incident response capabilities, and patch management SLAs. This assessment should result in contractual security requirements.
What the Standards Require
ISO 27001:2022 includes controls in Annex A. Control 5.19 requires defining and agreeing upon security requirements with suppliers. Control 5.20 mandates including security requirements in agreements with third parties, including your RMM vendor.
NIST Cybersecurity Framework v2.0 emphasizes supply chain risk. The Supply Chain Risk Management category requires identifying, assessing, and managing cybersecurity risks throughout the supply chain. Function SR.3 calls for managing third-party service providers, including monitoring their security practices.
PCI DSS v4.0.1 Requirement 12.8.4 mandates maintaining an inventory of third-party service providers and documenting their services. Requirement 12.8.5 requires annual monitoring to ensure they meet security requirements.
NIST 800-53 Rev 5 provides granular controls. SA-9 requires defining security and privacy requirements for external service providers. SR-3 mandates employing supply chain risk management processes. SR-6 requires documented assessment of supplier security practices before acquisition and periodically thereafter.
Lessons and Action Items for Your Team
Inventory every tool with administrative access. List every third-party application that can execute commands, access credentials, or modify configurations on your systems. Document the privileges and network access required for each tool.
Apply least privilege to administrative tools. Your RMM doesn't need domain admin rights on every system. Create service accounts with the minimum privileges required for each tool's functions. Use role-based access control to limit what each administrator can do.
Segment administrative tool access. Place your RMM platform in a dedicated management VLAN. Require it to traverse firewalls to reach production systems. Log every connection to make attacks visible and provide a monitoring choke point.
Track third-party CVEs as rigorously as your own. Add your RMM vendor and other critical third-party tools to your vulnerability tracking process. Subscribe to their security advisories and establish SLAs for patch application.
Implement behavioral monitoring for administrative tools. Define normal behavior for your RMM platform. Alert on deviations, such as bulk operations or access to unusual systems.
Require security commitments from vendors. Before deploying a tool with administrative access, require the vendor to provide evidence of secure development practices and include security requirements in your contract.
Test your incident response for supply chain compromise. Run a tabletop exercise where your RMM platform is the initial access vector. Determine who would notice, how you would contain it, and if you can manage systems without the RMM.
The exploitation of CVE-2026-1731 demonstrates that your trusted tools are part of your attack surface. Treat them accordingly.
