A significant security flaw in LMDeploy, a toolkit widely used for compressing and serving large language models, has been actively exploited in under 13 hours following its public announcement. Identified as CVE-2026-33626, this server-side request forgery (SSRF) vulnerability allows unauthorized access to sensitive data, posing a considerable threat to users.
Details of the LMDeploy Vulnerability
The critical flaw, which carries a CVSS score of 7.5, affects all versions of LMDeploy up to 0.12.0 that support vision-language features. According to the developers’ advisory, the issue arises from the load_image() function in lmdeploy/vl/utils.py, which fetches URLs without sufficiently validating internal or private IP addresses. This oversight could enable attackers to access cloud metadata services and internal networks.
Igor Stepansky, a researcher from Orca Security, discovered this vulnerability and reported it, highlighting its potential to steal cloud credentials, access internal services, and facilitate lateral movement within networks.
Initial Exploitation and Analysis
Cloud security firm Sysdig observed the first exploitation attempt against its honeypot systems just 12 hours and 31 minutes after the vulnerability was disclosed on GitHub. The attack originated from IP address 103.116.72[.]119 and involved using the image loader to perform a port scan on the internal network, targeting various services including AWS Instance Metadata Service (IMDS), Redis, and MySQL.
The attack unfolded in three phases over a brief eight-minute period, with the adversary making 10 distinct requests. The strategic use of different vision language models likely aimed to avoid detection.
Broader Implications and Related Threats
This incident underscores the rapid pace at which threat actors can exploit new vulnerabilities, often before users can implement necessary patches. Sysdig noted this trend is particularly prevalent in AI infrastructure, where urgent advisories are quickly weaponized.
In parallel, vulnerabilities in WordPress plugins, such as Ninja Forms and Breeze Cache, are also being targeted. These flaws allow for arbitrary file uploads and potential site takeovers. Additionally, a global campaign has been identified that exploits Modbus-enabled programmable logic controllers, affecting numerous countries with notable activity traced back to China.
Overall, the swift exploitation of CVE-2026-33626 highlights the need for immediate action upon vulnerability disclosures and reinforces the importance of continuous monitoring and patch management in cybersecurity practices.
