CVE-2026-33626: SSRF in LMDeploy exploited in under 13 hours

Colleagues, please note: a vulnerability in LMDeploy (CVE-2026-33626) was rapidly exploited.
- Overview: An SSRF in the vision-language module — load_image() fetches arbitrary URLs without validating internal IPs, exposing cloud metadata and internal services.
- Affected: all versions ≤0.12.0 with vision-language. Discovered by Igor Stepansky.
- Exploitation: Sysdig recorded an attack 12 h 31 min after disclosure — scanning IMDS, Redis, MySQL and OOB DNS; attackers modified VLMs to obfuscate activity.
Why it matters: AI infrastructure flaws become working exploits within hours — patch and restrict outbound requests.
What measures will you implement to protect models and infrastructure?
#cybersecurity #Infosec #AI #vulnerabilities


Latest comments
No comments yet.