Huntress has observed an uptick in threat actors exploiting CVE-2026-1731 in outdated Bomgar RMM instances to compromise organizations and their downstream clients. Attackers utilize this access to establish persistence via secondary RMM tools, evade defenses using BYOVD techniques, and ultimately deploy LockBit ransomware.