A critical vulnerability in BeyondTrust’s Remote Support (RS) product line — formerly known as Bomgar — is being actively exploited in the wild, exposing organizations that have failed to retire or patch aging remote access appliances to serious risk. The attacks, which security researchers have been tracking in recent weeks, underscore the persistent danger posed by legacy infrastructure that lingers in enterprise environments long after vendor support has ended.
The vulnerability, which carries a critical severity rating, allows attackers to compromise BeyondTrust RS appliances and potentially gain unauthorized access to the internal networks they were designed to protect. For organizations still relying on these systems — many of which have reached end-of-life (EOL) status — the situation presents a particularly thorny remediation challenge, as patches may not be available and replacement timelines are often measured in months, not days.
A Vulnerability With Deep Roots in Enterprise Remote Access
BeyondTrust’s Remote Support product, which the company acquired through its 2018 purchase of Bomgar, has long been a staple of enterprise IT environments. The technology enables help desk teams and managed service providers to remotely access endpoints for troubleshooting, software deployment, and system administration. Its widespread adoption across healthcare, financial services, government, and critical infrastructure sectors means that any vulnerability in the platform carries outsized implications.
As reported by CSO Online, researchers have detected active attacks targeting these appliances, with a significant number of compromised devices identified as running software versions that have long since passed their end-of-life dates. The exploitation is not theoretical — threat actors are actively leveraging the flaw to breach organizations, and the scope of the campaign appears to be growing.
The End-of-Life Problem: When Vendors Move On but Customers Don’t
The crux of the issue lies in the gap between vendor support lifecycles and the operational realities of enterprise IT. BeyondTrust, like most enterprise software vendors, maintains a defined support lifecycle for its products. When a version reaches end of life, the company ceases to issue security patches, leaving customers who have not upgraded exposed to any newly discovered vulnerabilities.
Yet the reality on the ground is that many organizations continue to run EOL appliances for years beyond their supported lifespan. The reasons are varied and familiar to anyone who has worked in enterprise IT: budget constraints, change management inertia, compatibility concerns with downstream systems, and — perhaps most commonly — a simple lack of visibility into what is actually running on the network. Remote access appliances, in particular, tend to be deployed and then forgotten, operating quietly in the background until something goes wrong.
According to the reporting by CSO Online, the presence of these legacy Bomgar appliances in production environments has created a significant attack surface that threat actors are now actively probing and exploiting. The compromised devices serve as beachheads into corporate networks, giving attackers the same privileged remote access capabilities that IT administrators use for legitimate purposes.
BeyondTrust’s Troubled Security Year
This latest exploitation campaign comes at a particularly sensitive time for BeyondTrust. In December 2024, the company disclosed that it had itself been the victim of a significant cyberattack. Threat actors exploited a critical vulnerability — tracked as CVE-2024-12356 — in BeyondTrust’s Remote Support and Privileged Remote Access products. That attack, which was later attributed to Chinese state-sponsored hackers, resulted in the compromise of a limited number of BeyondTrust’s SaaS customers, including the U.S. Department of the Treasury.
The Treasury breach, which was widely reported at the time, saw attackers access Treasury Department workstations and unclassified documents. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies take immediate remediation action. A second related vulnerability, CVE-2024-12686, was also added to the KEV catalog in January 2025.
The current wave of attacks on legacy RS appliances represents a continuation and expansion of the threat activity targeting BeyondTrust’s product ecosystem. While the December 2024 incidents focused on newer, cloud-hosted instances, the latest campaign appears to be targeting the long tail of on-premises deployments that have not been updated — or cannot be updated because they are running unsupported software versions.
The Anatomy of the Attack: What Researchers Are Seeing
Security researchers tracking the exploitation campaign have observed attackers scanning for internet-exposed BeyondTrust RS appliances and attempting to exploit known vulnerabilities to gain initial access. Once inside, the attackers leverage the appliance’s built-in remote access capabilities to move laterally within the victim’s network, escalate privileges, and establish persistent access.
The attack pattern is particularly effective because remote support appliances, by their very nature, are designed to have broad access to endpoints across the enterprise. A compromised RS appliance does not merely represent a single breached system — it represents a potential gateway to every system that the appliance is configured to manage. This makes these devices extraordinarily high-value targets for threat actors, whether they are nation-state operators conducting espionage or ransomware groups seeking to maximize their impact.
The situation is further complicated by the fact that many organizations lack adequate logging and monitoring on their remote access appliances. Without proper telemetry, it can be difficult to determine whether an appliance has been compromised, how long the attacker has had access, and what systems may have been reached through the compromised device.
Remediation Challenges and Industry Guidance
For organizations running supported versions of BeyondTrust RS, the remediation path is relatively straightforward: apply the vendor’s security patches immediately and review logs for signs of compromise. BeyondTrust has issued advisories and patches for the vulnerabilities in question, and CISA’s inclusion of related CVEs in the KEV catalog provides additional urgency and regulatory impetus for federal agencies and their contractors.
For organizations running end-of-life appliances, however, the situation is far more complex. With no patches forthcoming from the vendor, these organizations face a stark choice: take the appliance offline immediately and find an alternative remote support solution, or accept the risk of continued operation while working toward a migration plan. Security experts overwhelmingly recommend the former approach, noting that the active exploitation of these devices makes continued operation an untenable risk.
CISA has consistently emphasized the importance of retiring end-of-life products, particularly those that are internet-facing and provide privileged access to internal networks. The agency’s Binding Operational Directive 22-01, which established the KEV catalog, requires federal agencies to remediate known exploited vulnerabilities within defined timelines — a mandate that effectively prohibits the continued use of unpatched, EOL systems in federal environments.
A Broader Reckoning for Remote Access Infrastructure
The exploitation of legacy BeyondTrust appliances is not an isolated phenomenon. It is part of a broader pattern of attacks targeting remote access and network edge devices that has accelerated dramatically over the past two years. Products from Ivanti, Citrix, Fortinet, Palo Alto Networks, and other vendors have all been targeted by sophisticated threat actors who recognize that these devices often represent the weakest link in an organization’s defensive posture.
Remote access tools occupy a uniquely dangerous position in the enterprise technology stack. They are, by design, internet-facing, highly privileged, and deeply integrated into the organization’s operational workflows. When they are compromised, the impact is immediate and far-reaching. And when they are running unsupported software, they represent what amounts to an open door into the enterprise.
The BeyondTrust RS exploitation campaign should serve as a wake-up call for organizations that have allowed legacy remote access infrastructure to persist in their environments. The cost of migration and modernization, while significant, pales in comparison to the cost of a breach — particularly one that could have been prevented by retiring a product that the vendor itself has declared unsupported.
What Organizations Should Do Now
Security leaders should take immediate steps to inventory all BeyondTrust and legacy Bomgar appliances in their environments, determine which versions are running, and assess whether those versions are within the vendor’s supported lifecycle. Any appliance running an EOL version should be taken offline or isolated from the network as quickly as operationally feasible. For supported versions, patches should be applied without delay, and forensic analysis should be conducted to determine whether the appliance has already been compromised.
Beyond the immediate tactical response, this incident should prompt a broader review of remote access infrastructure across the enterprise. Organizations should ensure that all remote access tools are subject to the same security governance, patching, and monitoring requirements as any other critical system. The days of deploying a remote support appliance and forgetting about it are over — the threat actors have made sure of that.