LMDeploy CVE-2026-33626 Vulnerability Exploited Within 13 Hours of Public Disclosure
A critical security vulnerability in LMDeploy, an open-source toolkit designed for compressing, deploying, and serving large language models (LLMs), has been actively exploited less than 13 hours after its public announcement. The flaw, identified as CVE-2026-33626 and rated with a CVSS score of 7.5, is categorized as a Server-Side Request Forgery (SSRF) vulnerability, which poses significant risks by allowing unauthorized access to sensitive data.
Technical Overview of the Vulnerability
The advisory released by the maintainers of LMDeploy highlights that the SSRF vulnerability resides within the vision-language module of the toolkit. Specifically, the load_image() function located in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal or private IP addresses. This oversight enables attackers to access cloud metadata services, internal networks, and other sensitive resources.
This vulnerability affects all versions of LMDeploy up to and including 0.12.0 that support vision language functionalities. The flaw was discovered and reported by Orca Security researcher Igor Stepansky, who emphasized the potential for exploitation.
Successful exploitation could allow attackers to steal cloud credentials, access internal services not exposed to the internet, conduct port scans on internal networks, and create opportunities for lateral movement within compromised environments.
Rapid Exploitation Detected
Cloud security firm Sysdig reported that it identified the first exploitation attempt against its honeypot systems just 12 hours and 31 minutes after the vulnerability was disclosed on GitHub. The attack originated from the IP address 103.116.72[.]119.
The attacker demonstrated a sophisticated approach, using the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server. This included probing the AWS Instance Metadata Service (IMDS), Redis, MySQL, and a secondary HTTP administrative interface, as well as an out-of-band (OOB) DNS exfiltration endpoint.
The attack, which occurred on April 22, 2026, at 03:35 a.m. UTC, unfolded over ten distinct requests across three phases. The requests cycled through various vision language models (VLMs), such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B, likely to avoid detection.
- The initial phase targeted AWS IMDS and Redis instances on the server.
- The second phase tested egress capabilities with an OOB DNS callback to requestrepo[.]com, confirming that the SSRF vulnerability could reach arbitrary external hosts while enumerating the API surface.
- The final phase involved port scanning the loopback interface (“127.0.0[.]1”).
Implications for the Cybersecurity Landscape
The rapid exploitation of CVE-2026-33626 underscores a troubling trend in the cybersecurity landscape, where threat actors closely monitor new vulnerability disclosures and act swiftly before organizations can implement necessary patches. This pattern has been observed repeatedly in the AI-infrastructure sector over the past six months, with critical vulnerabilities in inference servers, model gateways, and agent orchestration tools being weaponized shortly after advisory publication.
Sysdig noted that the specificity of advisories like GHSA-6w67-hwm5-92mq, which detail affected files, parameter names, root-cause explanations, and sample vulnerable code, effectively serve as prompts for generating potential exploits using commercial LLMs.
Broader Context: Ongoing Threats
The urgency surrounding the LMDeploy vulnerability coincides with ongoing exploitation of vulnerabilities in other software systems. Threat actors have been observed targeting two WordPress plugins—Ninja Forms – File Upload (CVE-2026-0740, CVSS score: 9.8) and Breeze Cache (CVE-2026-3844, CVSS score: 9.8)—to upload arbitrary files to vulnerable sites, leading to arbitrary code execution and complete system takeover.
Additionally, a global campaign has been identified, targeting internet-exposed, Modbus-enabled programmable logic controllers (PLCs) from September to November 2025. This campaign spanned 70 countries and involved 14,426 distinct targeted IPs, with a significant number located in the U.S., France, Japan, Canada, and India. Some requests were traced back to sources geolocated in China.
Cato Networks researchers highlighted that the activity involved a blend of large-scale automated probing and more selective patterns, indicating deeper device fingerprinting, disruption attempts, and potential manipulation paths when PLCs are accessible from the public internet. Many source IPs exhibited low or zero public reputation scores, suggesting the use of fresh or rotating scanning hosts.
The exploitation of CVE-2026-33626 serves as a stark reminder of the vulnerabilities present in modern software architectures and the need for organizations to remain vigilant in their cybersecurity practices. As threat actors continue to adapt and evolve their tactics, the importance of timely patching and robust security measures cannot be overstated.
For further information on the LMDeploy vulnerability, refer to the detailed analysis provided by Sysdig. Source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
