A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, unpacking, and serving LLMs, has become exploitable in the wild less than 13 hours after its disclosure.
This vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), is related to server-side request forgery (SSRF) vulnerabilities and can be exploited to access sensitive data.
“LMDeploy’s vision language module contains a server-side request forgery (SSRF) vulnerability,” according to an advisory published by project administrators last week. “The load_image() function in lmdeploy/vl/utils.py retrieves arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources.”
This shortcoming affects all versions of the toolkit that support vision languages (0.12.0 and earlier). Orca Security researcher Igor Stepansky is credited with discovering and reporting this bug.
Successful exploitation of this vulnerability could allow an attacker to steal cloud credentials, access internal services that are not exposed to the internet, port scan internal networks, and create opportunities for lateral movement.
In an analysis published this week, cloud security company Sysdig said it detected the first LMDeploy exploitation attempt against a honeypot system within 12 hours and 31 minutes of the vulnerability being published on GitHub. The exploitation attempt comes from IP address 103.116.72.[.]119.
“The attackers did not simply validate the bug and move on to the next step. Instead, in a single eight-minute session, they used the Vision Language Image Loader as a generic HTTP SSRF primitive to port scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP management interface, and an out-of-band (OOB) DNS leak endpoint.”
The adversary action, detected at 3:35 AM UTC on April 22, 2026, deployed more than 10 separate requests across three phases, with requests switching between Vision Language Models (VLMs) such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B to potentially circumvent suspicion.
Target the AWS IMDS and Redis instances on your server. Test the output using an out-of-band (OOB) DNS callback to requestrepo[.]com to verify that SSRF vulnerabilities are reachable to arbitrary external hosts, and then enumerate the API surfaces. Port scan for loopback interface (“127.0.0”[.]1″)
This finding is another reminder that threat actors are closely monitoring new vulnerability disclosures and exploiting them before downstream users can apply fixes, even if no proof-of-concept (PoC) exploits were present at the time of the attack.
“CVE-2026-33626 fits a pattern we have observed repeatedly in the AI infrastructure space over the past six months: critical vulnerabilities in inference servers, model gateways, and agent orchestration tools are weaponized within hours of advisory publication, regardless of the size or scope of the installed base,” Sysdig said.
“Generative AI (GenAI) is accelerating this collapse. Specific advisories like GHSA-6w67-hwm5-92mq include affected files, parameter names, root cause descriptions, and samples of vulnerable code, providing input prompts for commercial LLMs to generate potential exploits.”
Targeted WordPress plugins and Modbus devices exposed to the internet
This disclosure indicates that threat actors have been using two WordPress plugins, Ninja Forms – File Upload (CVE-2026-0740, CVSS Score: 9.8) and Breeze Cache (CVE-2026-3844, CVSS Score: 9.8). This vulnerability has been observed to be used to upload arbitrary files to susceptible sites, resulting in arbitrary code execution and complete takeover.
Unknown attackers are also said to be involved in a global campaign targeting Modbus-enabled programmable logic controllers (PLCs) exposed to the internet from September to November 2025. The campaign spans 70 countries and 14,426 distinct target IPs, most of which are located in the United States, France, Japan, Canada, and India. Some of these requests have been found to originate from sources geographically located in China.
Cato Networks researchers said: “This activity combined extensive automated probing with more selective patterns that suggest deeper device fingerprinting, jamming attempts, and potential paths of manipulation if the PLC is accessible from the public internet.” “Many source IPs have low or zero public reputation scores, consistent with new or rotating scanning hosts.”
Source link
