LMDeploy Flaw Exploited Just Hours After Going Public

byRohit.nex Published:

A serious security issue in LMDeploy — an open-source tool used to compress, deploy, and serve large language models — is already being exploited in real-world attacks. What’s unsettling is how fast it happened: attackers jumped on it in less than 13 hours after it was publicly revealed.

LMDeploy Flaw Exploited Just Hours After Going Public


The flaw, identified as CVE-2026-33626 with a CVSS score of 7.5, involves a Server-Side Request Forgery (SSRF). In simple terms, it allows attackers to trick the system into making requests it shouldn’t — potentially exposing sensitive data.

According to the developers’ advisory released last week, the problem lies in LMDeploy’s vision-language module. Specifically, a function called load_image() pulls images from URLs without properly checking whether those URLs point to private or internal systems. That small oversight opens a big door: attackers can quietly access cloud metadata, internal networks, and other protected resources.

All versions up to 0.12.0 that include vision-language support are affected. The bug was discovered and reported by Orca Security researcher Igor Stepansky.

If exploited successfully, this vulnerability could allow attackers to steal cloud credentials, access internal services that were never meant to be exposed, scan internal networks, and even move deeper into systems without being noticed. It’s the kind of flaw that keeps security teams up at night.

Cloud security company Sysdig shared that they observed the first attack attempt on their honeypot systems just 12 hours and 31 minutes after the vulnerability appeared on GitHub. The traffic came from the IP address 103.116.72[.]119.

What stood out wasn’t just the speed, but the intent. The attacker didn’t just test the vulnerability and leave. In a short eight-minute burst of activity, they used the flaw to probe internal systems — almost like someone quickly checking every unlocked door in a building. They targeted services like AWS metadata, Redis, MySQL, and even attempted DNS-based data exfiltration.

The activity, detected on April 22, 2026, around 03:35 a.m. UTC, involved 10 carefully crafted requests carried out in three stages. To stay under the radar, the attacker switched between different vision-language models such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B.

Here’s how the attack unfolded:

  • First, they probed AWS metadata services and Redis instances.
  • Then, they tested whether the system could communicate externally using a DNS callback, confirming the SSRF worked.
  • Finally, they scanned local internal ports on the machine itself.

This incident is yet another reminder of how quickly attackers act. There’s barely any breathing room between a vulnerability being disclosed and it being actively exploited — even when no ready-made exploit code is available.

Sysdig researchers pointed out that this is becoming a pattern, especially in AI-related infrastructure. Vulnerabilities in model servers and AI tools are being turned into weapons almost immediately after disclosure.

There’s also a growing concern that generative AI is making things worse. Detailed advisories — which are meant to help defenders — can also act like step-by-step guides for attackers. With the help of AI, turning a vulnerability description into a working exploit is becoming faster and easier.


Other Attacks Surface: WordPress and Industrial Systems Also Hit

At the same time, attackers are exploiting two critical WordPress plugin vulnerabilities:

  • Ninja Forms – File Upload (CVE-2026-0740, CVSS 9.8)
  • Breeze Cache (CVE-2026-3844, CVSS 9.8)

These flaws allow attackers to upload malicious files, execute code, and fully take over affected websites. For site owners, this is more than just a technical issue — it can mean losing control of their entire platform overnight.

Meanwhile, another campaign targeted industrial control systems — specifically Modbus-enabled PLCs exposed to the internet. Between September and November 2025, attackers scanned and probed over 14,000 devices across 70 countries, including the U.S., France, Japan, Canada, and India. Some of the activity was traced back to sources in China.

Researchers from Cato Networks described the campaign as a mix of wide-scale scanning and more focused probing, suggesting attackers weren’t just looking — they were trying to understand, disrupt, and possibly manipulate these systems.

Many of the IP addresses involved had little to no prior reputation, hinting at the use of fresh or frequently changing infrastructure. That unpredictability makes defending against such attacks even more challenging.

Overall, the situation paints a tense picture. The speed, scale, and sophistication of these attacks show just how aggressive the current threat landscape has become — and how important it is to act quickly when vulnerabilities come to light.

Tags:

You might like

View all
Previous Post Next Post
Share to other apps
Copy Post Link