A high-severity vulnerability in LMDeploy, an open-source toolkit widely used for compressing, deploying, and serving large language models (LLMs), is already being actively exploited by attackers. What makes this incident alarming is the speed cybercriminals began exploiting the flaw in less than 13 hours after it was publicly disclosed.
This vulnerability, tracked as CVE-2026-33626, carries a CVSS score of 7.5 and highlights serious risks in modern AI infrastructure. It also reinforces a growing trend: attackers are rapidly weaponizing newly disclosed vulnerabilities before organizations can apply patches.
CVE-2026-33626 is a Server-Side Request Forgery (SSRF) vulnerability found in LMDeploy’s vision-language module. Specifically, the issue lies in the load_image() function, which fetches external URLs without properly validating whether those URLs point to internal or private network resources.
Because of this lack of validation, attackers can trick the system into making requests to sensitive internal services. This includes:
- Cloud metadata services (such as AWS Instance Metadata Service)
- Internal databases
- Private APIs
- Loopback interfaces (localhost)
All LMDeploy versions up to 0.12.0 that include vision-language support are affected.
SSRF vulnerabilities are particularly critical in cloud and AI environments. In this case, successful exploitation can allow attackers to:
- Steal cloud credentials
- Access internal systems not exposed to the internet
- Perform internal port scanning
- Enable lateral movement across networks
- Exfiltrate sensitive data
This essentially turns the AI model server into a gateway for deeper network compromise.
Security researchers observed real-world exploitation almost immediately after disclosure. According to analysis by the cybersecurity firm Sysdig, the first attack attempt was detected within 12 hours and 31 minutes.
The attack originated from a suspicious IP address and was not a simple test. Instead, the attacker conducted a structured and multi-stage exploitation attempt over a short session.
The attacker used the vulnerable image-loading feature as a tool for SSRF-based probing. Activities included:
- Targeting Internal Services
The attacker attempted to access AWS metadata services and Redis instances. - Testing External Connectivity
An out-of-band (OOB) DNS request was sent to confirm that the vulnerable system could communicate externally. - Internal Network Scanning
The attacker performed port scanning on the loopback address (127.0.0.1), identifying accessible services such as:- MySQL
- Redis
- Internal HTTP admin panels
Interestingly, the attacker switched between different vision-language models during the attack to avoid detection, indicating a higher level of sophistication.
This incident is not isolated. It reflects a broader trend in the cybersecurity landscape, especially in AI-driven environments.
Attackers are now:
- Monitoring vulnerability disclosures in real time
- Using automation and AI tools to generate exploits بسرعة
- Launching attacks even before proof-of-concept (PoC) code is publicly available
Detailed security advisories are unintentionally helping attackers. When advisories include technical details such as affected files, parameters, and root causes, they can be used as prompts for AI tools to quickly generate exploit code.
This is particularly concerning for organizations adopting Generative AI (GenAI) technologies without robust security controls.
Alongside the LMDeploy vulnerability, researchers have identified ongoing exploitation in other areas:
Two popular WordPress plugins are currently under attack:
- Ninja Forms – File Upload (CVE-2026-0740)
- Breeze Cache (CVE-2026-3844)
Both vulnerabilities have a CVSS score of 9.8 and allow attackers to upload malicious files, leading to:
- Remote code execution (RCE)
- Full website takeover
This puts thousands of websites at risk, especially those that have not applied recent updates.
Another major campaign targeted internet-exposed Modbus-enabled PLCs (Programmable Logic Controllers) between September and November 2025.
Key highlights:
- 70 countries affected
- Over 14,000 IPs targeted
- Major impact in the U.S., France, Japan, Canada, and India
The attacks combined:
- Large-scale automated scanning
- Device fingerprinting
- Potential disruption attempts
Many attacking IPs had little or no reputation, suggesting the use of rotating or newly created infrastructure.
This incident provides important lessons for organizations working with AI systems and cloud environments:
If you are using LMDeploy, update to the latest secure version as soon as possible.
Limit server access to internal IP ranges and metadata services using firewall rules.
Track unusual outbound requests, DNS callbacks, and internal scanning activity.
Treat AI infrastructure like critical production systems with strict access control and monitoring.
Avoid exposing internal services and industrial systems directly to the internet.
The rapid exploitation of CVE-2026-33626 shows how fast the threat landscape is evolving, especially in the era of AI. Attackers no longer wait days or weeks—they act within hours.
For organizations, the message is clear: speed is now a critical factor in cybersecurity defense. Delayed patching or weak monitoring can quickly turn a vulnerability into a full-scale breach.
As AI adoption continues to grow, securing AI infrastructure must become a top priority—not an afterthought.
Interesting Article : Google Fixes Antigravity IDE Flaw Enabling Code Execution