LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
Sibaq m3a l-waqt: Istighlal l-thaghra CVE-2026-33626 f-LMDeploy f-aqal men 13-il sa3a mor l-ikshaf 3liha
Race Against Time: LMDeploy CVE-2026-33626 Exploited Within 13 Hours of Disclosure
TL;DR
A high-severity SSRF vulnerability (CVE-2026-33626) in the open-source LMDeploy toolkit was exploited in the wild just 12 hours and 31 minutes after its public disclosure. Attackers are using the flaw to port-scan internal networks and target cloud metadata services.
The window between vulnerability disclosure and active exploitation continues to shrink. In the latest example of this trend, a high-severity flaw in LMDeploy—an open-source toolkit used for compressing and serving Large Language Models (LLMs)—was weaponized by threat actors in less than 13 hours.
Understanding CVE-2026-33626
Tracked as CVE-2026-33626 with a CVSS score of 7.5, the vulnerability is a Server-Side Request Forgery (SSRF) located within LMDeploy’s vision-language module.
The flaw was discovered and reported by Orca Security researcher Igor Stepansky. According to project maintainers, the root cause lies in the load_image() function within lmdeploy/vl/utils.py. The function fetches arbitrary URLs without validating whether they point to internal or private IP addresses.
Impacted Versions
- All versions of LMDeploy up to and including 0.12.0 that feature vision-language support are affected.
Anatomy of an Attack
Cloud security firm Sysdig reported that its honeypots detected the first exploitation attempt a mere 12 hours and 31 minutes after the vulnerability was published on GitHub.
The attack, traced to IP address 103.116.72[.]119, was not a simple "ping" to verify the bug. Instead, the adversary executed a sophisticated eight-minute session consisting of 10 distinct requests across three phases:
- Cloud & Service Targeting: The attacker targeted the AWS Instance Metadata Service (IMDS) and Redis instances on the server.
- Egress Testing: Using an out-of-band (OOB) DNS callback to
requestrepo[.]com, the attacker confirmed the SSRF could reach external hosts and began enumerating the API surface. - Internal Scanning: The attacker performed a port scan on the loopback interface (
127.0.0[.]1) to identify other services like MySQL and administrative interfaces.
To avoid detection, the attacker rotated between different vision-language models (VLMs), such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B.
The "LLM-Aided" Exploitation Trend
The rapid weaponization of CVE-2026-33626 highlights a growing concern in the cybersecurity landscape. Detailed advisories—while necessary for defenders—now serve as "input prompts" for AI tools that can generate functional exploits almost instantly.
"Critical vulnerabilities in inference servers and model gateways are being weaponized within hours of advisory publication, regardless of the size of their install base," Sysdig noted in their analysis.
Broader Threat Landscape
The exploit of LMDeploy coincides with several other high-velocity campaigns:
- WordPress Plugins: Threat actors are currently exploiting CVE-2026-0740 (Ninja Forms) and CVE-2026-3844 (Breeze Cache) to achieve remote code execution.
- Industrial Targeting: A global campaign has been identified targeting over 14,000 Modbus-enabled PLCs across 70 countries, with some traffic originating from sources in China.
Conclusion
The exploitation of LMDeploy serves as a stark reminder that the "Time to Exploit" is now measured in hours, not days. Organizations utilizing GenAI infrastructure must prioritize rapid patching and implement strict network egress filtering to mitigate the risks of SSRF vulnerabilities.
Source: https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html
