Sibaq m3a l-waqt: Istighlal l-thaghra CVE-2026-33626 f-LMDeploy f-aqal men 13-il sa3a mor l-ikshaf 3liha
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
Sibaq m3a l-waqt: Istighlal l-thaghra CVE-2026-33626 f-LMDeploy f-aqal men 13-il sa3a mor l-ikshaf 3liha
TL;DR (khulasa)
Wahed l-thaghra khatira mn l-no3 SSRF (CVE-2026-33626) f-l-toolkit l-maftouh l-masdar LMDeploy t-staghlat f-l-waqi3 ghir 12-il sa3a u 31 dqiqa mor ma t-3lnat l-nas. L-hacker-at khdamou biha bach idirou "port-scan" l-chabakat l-dakhiliya u istahdfou khidamat l-metadata f-l-cloud.
L-moda bin l-ikshaf 3la chi thaghra u l-istighlal l-fi3li dyalha ghada u kat-qsar. F-akher mital l-had l-tawajo7, wahed l-thaghra khatira f-LMDeploy—li houwa toolkit maftouh l-masdar kay-stakhdam f-dght u tghdyat l-namadij l-lughawiya l-kabira (LLMs)—t-awlat l-slah men taraf l-hacker-at f-aqal men 13-il sa3a.
Efham l-thaghra CVE-2026-33626
Had l-thaghra li mdouzna b-simiya dyal CVE-2026-33626 u 3ndha skwar dyal 7.5 f-CVSS, hiya men no3 Server-Side Request Forgery (SSRF) u kayna f-l-module dyal "vision-language" f-LMDeploy.
L-thaghra kchafha l-ba7it Igor Stepansky men charikat Orca Security. 3la hsab l-mousahimin f-l-mashrou3, l-mouchkil l-asli kayen f-l-fonction load_image() li kayna f-l-fayl lmdeploy/vl/utils.py. Had l-fonction kat-jib ay URL bghiti bla ma t-akhed wach dak l-URL ghadi l-chi ciwan (IP) dakhili aw khousousi.
L-isdarat li m-adrin (Impacted Versions)
- Gama3 l-isdarat dyal LMDeploy tal 0.12.0 (li fiha support dyal vision-language) rah m-asra.
Kifach daz l-houjoum
Charikat l-amane l-sahabi (Cloud security) Sysdig galt belli l-"honeypots" dyalha rsdou awel muhawala dyal istighlal ghir mor 12-il sa3a u 31 dqiqa mli t-nachrat l-thaghra f-GitHub.
Had l-houjoum, li jay mn l-IP 103.116.72[.]119, ma kanch ghir moucharad "ping" bach i-t-akdou mn l-bug. Bel-3aks, l-hacker dar wahed l-mohimma dyal 8 dqiqa fiha 10 dyal l-talabat (requests) m-qasma 3la 3 dyal l-marahil:
- Istihdaf l-Cloud u l-Khidamat: L-hacker stahdef l-AWS Instance Metadata Service (IMDS) u khidamat Redis li f-l-server.
- Tijrib l-Khurouj (Egress Testing): Khdam b-wahed l-DNS callback dyal
requestrepo[.]combach i-t-aked belli l-SSRF qder i-wssal l-khawadim kharijiya u bda kay-ktaf l-API. - L-msah l-Dakhili (Internal Scanning): L-hacker dar "port scan" 3la l-interface dyal loopback (
127.0.0[.]1) bach i-lqa khidamat khrin bhal MySQL u l-interfaces dyal l-idara (administrative interfaces).
Bach ma i-t-farch-ch, l-hacker bqa kay-bddal bin namadij "vision-language" (VLMs) mkhtalfa, bhal internlm-xcomposer2 u OpenGVLab/InternVL2-8B.
Tawajo7 dyal l-istighlal l-mou-3awan b-l-AI (LLM-Aided)
S-sor3a l-kabira f-tahwil CVE-2026-33626 l-slah kat-biyen wahed l-khawf kbir f-l-3alam dyal l-amn l-sibrani. L-taqarir l-mufassala—wakha mohimma l-nas li kadi-f-3u—dbat kat-khdam bhal "input prompts" l-adawat l-AI li t-qder t-siwb exploits khddamin f-rms-t 3in.
"L-thaghrat l-harika f-l-inference servers u l-gateways dyal l-namadij kat-welli slah f-swi3at mor l-nachr dyalha," had chi li qalat Sysdig f-l-ta7lil dyalha.
l-mashhad l-3am dyal l-tahdidat
L-istighlal dyal LMDeploy ja m3a campaigns khrin li ghadyin b-sor3a:
- Plugins dyal WordPress: Kayen hacker-at dba kistaghlou CVE-2026-0740 (Ninja Forms) u CVE-2026-3844 (Breeze Cache) bach i-nfdu l-code mn b-3id (RCE).
- Istihdaf s-sina3a: T-cheffat wahed l-7amla 3alamiya kat-stahdef ktar mn 14,000 PLCs li fiha Modbus f-70 dawla, u chi traffic jay mn l-Chin.
Khulasa
L-istighlal dyal LMDeploy houwa t-fkir qas-h belli l-"waqt dyal l-istighlal" (Time to Exploit) dba walla kay-t-7seb b-l-swaye3 machi b-l-iyyam. L-charikat li kakhdmou b-l-binya l-tahtiya dyal GenAI khasshoum i-dirou l-"patching" f-asra3 waqt u i-dirou "network egress filtering" s-3ib bach i-naqssou l-khatar dyal l-thaghrat dyal SSRF.
L-masdar: https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html