A critical security flaw affecting **LMDeploy**, a toolkit designed for compressing, deploying, and serving LLMs, has been actively exploited in the wild shortly after its public disclosure. This underscores the increasing risk of rapid exploitation targeting AI infrastructure. ### CVE-2026-33626: Server-Side Request Forgery The vulnerability, identified as **CVE-2026-33626** (CVSS score: 7.5), is a Server-Side Request Forgery (SSRF) issue that allows attackers to potentially access sensitive information. According to an advisory published by the project maintainers, the `load_image()` function within `lmdeploy/vl/utils.py` fetches arbitrary URLs without proper validation of internal/private IP addresses. This oversight enables attackers to access cloud metadata services, internal networks, and other sensitive resources. The vulnerability impacts all versions of the toolkit (0.12.0 and prior) that include vision language support. **Igor Stepansky**, a researcher at **Orca Security**, is credited with discovering and reporting the vulnerability. ### Potential Impact Successful exploitation of **CVE-2026-33626** could allow attackers to: * Steal cloud credentials. * Access internal services not exposed to the internet. * Perform port scans of internal networks. * Establish lateral movement opportunities within the compromised environment. ### Rapid Exploitation Detected **Sysdig**, a cloud security firm, reported detecting the first exploitation attempt against their honeypot systems a mere 12 hours and 31 minutes after the vulnerability's publication on **GitHub**. The attack originated from IP address 103.116.72[.]119. "The attacker did not simply validate the bug and move on. Instead, over a single eight-minute session, they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint," **Sysdig** stated in their analysis. The attacker's actions, observed on April 22, 2026, at 03:35 a.m. UTC, involved 10 distinct requests across three phases. The attacker switched between vision language models (VLMs) like `internlm-xcomposer2` and `OpenGVLab/InternVL2-8B`, likely to evade detection. The attack included: * Targeting **AWS** IMDS and **Redis** instances on the server. * Testing egress with an out-of-band (OOB) DNS callback to `requestrepo[.]com` to confirm the SSRF vulnerability could reach arbitrary external hosts, followed by enumerating the API surface. * Port scanning the loopback interface ("127.0.0[.]1"). ### Lessons Learned This incident highlights the importance of promptly patching vulnerabilities, even when proof-of-concept (PoC) exploits are not yet publicly available. Threat actors are actively monitoring vulnerability disclosures and rapidly weaponizing them. "CVE-2026-33626 fits a pattern that we have observed repeatedly in the AI-infrastructure space over the past six months: critical vulnerabilities in inference servers, model gateways, and agent orchestration tools are being weaponized within hours of advisory publication, regardless of the size or extent of their install base," **Sysdig** noted. They further emphasized that "Generative AI (GenAI) is accelerating this collapse. An advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit." ### WordPress Plugins and Internet-Exposed Modbus Devices Targeted Concurrently, threat actors are actively exploiting vulnerabilities in two **WordPress** plugins: Ninja Forms – File Upload (**CVE-2026-0740**, CVSS score: 9.8) and Breeze Cache (**CVE-2026-3844**, CVSS score: 9.8). These vulnerabilities allow attackers to upload arbitrary files to vulnerable sites, potentially leading to arbitrary code execution and complete system takeover.  Furthermore, a global campaign has been identified targeting internet-exposed, Modbus-enabled programmable logic controllers (PLCs) from September to November 2025. This campaign spanned 70 countries and targeted 14,426 distinct IP addresses, primarily located in the U.S., France, Japan, Canada, and India. Some of the originating requests have been geolocated to China. "The activity blended large-scale automated probing with more selective patterns that suggest deeper device fingerprinting, disruption attempts, and potential manipulation paths when PLCs are reachable from the public internet," **Cato Networks** researchers reported. "Many source IPs had low or zero public reputation scores, consistent with fresh or rotating scanning hosts."