Executive Summary
A high-severity Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-33626 with a CVSS score of 7.5, was discovered in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs). This flaw resides in the vision-language module's load_image() function, which fetches arbitrary URLs without validating internal or private IP addresses, potentially allowing attackers to access cloud metadata services, internal networks, and sensitive resources. The vulnerability affects all versions up to 0.12.2 and was patched in version 0.12.3. Notably, within 13 hours of its public disclosure, the vulnerability was actively exploited in the wild, with attackers targeting AWS Instance Metadata Service (IMDS) and Redis instances, testing egress with out-of-band DNS callbacks, and performing port scans on the loopback interface. This rapid exploitation underscores the critical need for prompt vulnerability management and patching practices. The incident highlights a concerning trend where threat actors swiftly weaponize newly disclosed vulnerabilities, particularly in AI infrastructure components, emphasizing the importance of proactive security measures and continuous monitoring to mitigate potential risks.
Why This Matters Now
The rapid exploitation of CVE-2026-33626 within hours of disclosure underscores the urgent need for organizations to promptly apply security patches and enhance monitoring of AI infrastructure components to prevent unauthorized access and data breaches.
Attack Path Analysis
An attacker exploited the SSRF vulnerability in LMDeploy's vision-language module to access internal resources. They escalated privileges by retrieving cloud credentials from the AWS Instance Metadata Service. Using these credentials, the attacker moved laterally within the internal network to access Redis and MySQL databases. They established command and control by setting up persistent access to compromised systems. Sensitive data was exfiltrated from internal databases to external servers. The attack concluded with the deletion of logs to cover tracks and disrupt forensic analysis.
Kill Chain Progression
Initial Compromise
Description
Exploited SSRF vulnerability in LMDeploy's vision-language module to access internal resources.
Related CVEs
CVE-2026-33626
CVSS 7.5A Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module allows attackers to access internal resources and sensitive data.
Affected Products:
InternLM LMDeploy – < 0.12.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Application Layer Protocol: Web Protocols
Server Software Component: Web Shell
Valid Accounts
Network Service Discovery
Remote Services: Remote Desktop Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
LMDeploy SSRF vulnerability creates critical supply-chain risks for AI/ML software development, requiring immediate patching and enhanced egress security controls.
Information Technology/IT
Server-side request forgery exploits threaten IT infrastructure security, demanding strengthened zero trust segmentation and multicloud visibility for LLM deployments.
Financial Services
HIPAA and PCI compliance violations possible through SSRF data exfiltration, necessitating encrypted traffic monitoring and threat detection capabilities.
Health Care / Life Sciences
Sensitive healthcare data exposure via LMDeploy SSRF attacks requires immediate kubernetes security hardening and anomaly response implementation.
Sources
- LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosurehttps://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.htmlVerified
- NVD - CVE-2026-33626https://nvd.nist.gov/vuln/detail/CVE-2026-33626Verified
- GitHub Security Advisory: GHSA-6w67-hwm5-92mqhttps://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mqVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the SSRF vulnerability to access internal resources would likely be constrained by enforcing strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by accessing cloud credentials may be limited by enforcing strict identity-based access controls.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the internal network to access databases would likely be constrained by enforcing east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish persistent remote access may be limited by comprehensive visibility and control over multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external servers would likely be constrained by enforcing strict egress policies.
The attacker's ability to delete logs to cover tracks may be limited by implementing immutable logging and monitoring solutions.
Impact at a Glance
Affected Business Functions
- Model Deployment
- Data Processing
- Internal Network Security
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of internal network configurations and sensitive data accessible via cloud metadata services.
Recommended Actions
Key Takeaways & Next Steps
- • Implement input validation to prevent SSRF vulnerabilities.
- • Restrict access to cloud metadata services from internal systems.
- • Enforce least privilege access controls to limit lateral movement.
- • Monitor network traffic for anomalous patterns indicating data exfiltration.
- • Regularly audit and update security configurations to address known vulnerabilities.
