GitHub published GHSA-6w67-hwm5-92mq (CVE-2026-33626), a Server-Side Request Forgery (SSRF) in LMDeploy’s vision-language image loader, and Sysdig observed the first exploitation attempt against a honeypot 12 hours and 31 minutes after the advisory went live. The attacker used the image_url SSRF to fetch AWS IMDS, scan loopback services (Redis, MySQL, local admin HTTP), and confirm egress via an OOB DNS callback; defenders are advised to update to v0.12.3, enforce IMDSv2, restrict egress, rotate credentials, and add runtime detection. #LMDeploy #CVE-2026-33626
Keypoints
- GHSA-6w67-hwm5-92mq (CVE-2026-33626) is an SSRF in LMDeploy’s image_url handling that lacks hostname/scheme validation and allowed internal network requests.
- Sysdig TRT deployed a vulnerable honeypot and observed the first exploitation attempt 12 hours and 31 minutes after the advisory appeared on GitHub; no public PoC existed at the time.
- An attacker from 103.116.72.119 performed a scripted eight-minute session that pivoted between two VLMs and executed three phases: IMDS/Redis probes, OOB DNS egress test and API enumeration, then admin-plane probe and localhost port sweep.
- The attacker fetched AWS IMDS credentials, probed Redis (127.0.0.1:6379) and MySQL (127.0.0.1:3306), invoked an unauthenticated distserve kill-switch, and performed local HTTP port scans (ports 80, 8080).
- The advisory text itself (file, parameter, vulnerable code) plus GenAI-assisted code generation sped exploit development; weaponization of niche AI-infrastructure bugs is occurring within hours of disclosure.
- Recommendations: upgrade LMDeploy to v0.12.3+, enforce IMDSv2, restrict VPC/SG egress, rotate IAM credentials for exposed deployments, bind internal services to private interfaces and enable runtime detection rules.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – SSRF exploited a public inference API to fetch internal resources (‘Any URL with an http:// or https:// scheme — including http://169.254.169.254/, http://127.0.0.1:3306, or any RFC 1918 address — was fetched by the server’).
- [T1046 ] Network Service Discovery – The attacker used the SSRF primitive to port-scan and discover internal services (IMDS, Redis, MySQL, admin HTTP) (‘they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL…’).
- [T1048.001 ] Exfiltration Over DNS – The operator validated blind-SSRF and egress by triggering an OOB DNS/HTTP callback to requestrepo.com (‘image_url: http[://]cw2mhnbd.requestrepo.com’).
- [T1499 ] Endpoint Denial of Service – The attacker invoked an unauthenticated admin endpoint to tear down ZMQ links and disrupt inference (‘POST /distserve/p2p_drop_connect … An attacker who knows or guesses a live remote_engine_id can disrupt the prefill/decode route for that peer, degrading or breaking inference’).
Indicators of Compromise
- [IP address ] attacker source – 103.116.72.119 (observed exploit origin, Kowloon Bay, HK)
- [Domain ] OOB callback / exfiltration – cw2mhnbd.requestrepo.com (unique OAST subdomain used to confirm blind-SSRF)
- [URL ] SSRF-fetched internal endpoints – http://169.254.169.254/latest/meta-data/iam/security-credentials/, http://127.0.0.1:6379, and 3 more URLs (http://127.0.0.1:3306, http://127.0.0.1:8080, http://127.0.0.1)