CVE-2026-33626 LMDeploy SSRF Weaponized in 12 Hours: Vision-LLM Image Loader Abused for Cloud Credential Theft and Internal Network Scanning

Date: 2026-06-01
Tags: malware, apt, llmjacking

Executive Summary

CVE-2026-33626 in LMDeploy was exploited within 12 hours of disclosure, enabling attackers to use a vision-LLM endpoint for SSRF-based internal network scanning, cloud metadata access, and service enumeration. The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data. This represents the fastest exploitation window recorded for AI infrastructure vulnerabilities and demonstrates a collapse in patch windows driven by LLM-enabled exploit generation.

Campaign Summary

Detailed Findings

On April 21, 2026, GitHub published GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, an open-source toolkit for serving vision-language and text large language models (LLMs) developed by Shanghai AI Laboratory, InternLM. Within 12 hours and 31 minutes of its publication on the main GitHub advisory page, the Sysdig Threat Research Team (TRT) observed the first LMDeploy exploitation attempt against honeypot fleet. The attacker did not simply validate the bug and move on. Instead, over a single eight-minute session, they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint. Attackers weaponized the vision-language module's load_image() function, which failed to validate whether URLs pointed to internal or private IP addresses. First attacks originated from Kowloon Bay, Hong Kong, following a classic cloud exploitation playbook: OOB DNS confirmation, AWS IMDS credential theft, and rapid internal port scanning. An advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit. Any advisory that names the vulnerable function, shows the missing check, or quotes the affected code pattern, in the age of capable code-generation models, becomes a turnkey exploit.

MITRE ATT&CK Mapping

IOCs

Domains

_CVE-2026-33626 affects LMDeploy 0.12.0 and prior versions; patched in 0.12.3_

Full URL Paths

_CVE-2026-33626 affects LMDeploy 0.12.0 and prior versions; patched in 0.12.3_

Splunk Format

_No IOCs available for Splunk query_

Package Indicators

lmdeploy (versions 0.12.0 and prior)

Detection Recommendations

Implement egress filtering on all LLM inference servers to block requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) and AWS IMDS endpoints (169.254.169.254). Monitor LMDeploy logs for suspicious image URLs passed to load_image(). Enforce network segmentation separating inference servers from credential stores. Apply least-privilege IAM to inference server roles, preventing access to AWS Secrets Manager or credential-bearing resources. Patch LMDeploy to version 0.12.3 or later immediately.

References

• [Sysdig] CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours (2026-04-22) — https://www.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours
• [The Hacker News] LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure (2026-04-27) — https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html