Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
CISA KEV listing confirms active exploitation in the wild against LMDeploy's vision-language module, elevating likelihood beyond theoretical; impact is high because successful SSRF against cloud metadata services (e.g., IMDSv1 endpoints) yields IAM credentials enabling lateral movement to storage, databases, and downstream workloads far beyond the LMDeploy instance itself.
Treatment rationale: Active exploitation with a confirmed patch available (v0.12.3) makes immediate remediation the only defensible primary treatment — acceptance or transfer cannot reduce the near-term credential-exfiltration window that existing exploitation activity represents.
Third-Party / Supply-Chain Risk
LMDeploy is an open-source framework (internlm/lmdeploy) integrated as a dependency into AI inference stacks; organizations consuming it via containerized deployments, MLOps pipelines, or managed AI platforms inherit this exposure without necessarily owning the vulnerable component directly — NIST SP 800-161 C-SCRM requires verification that all pipeline consumers, including downstream model-serving integrations and cloud-hosted inference endpoints, have patched or mitigated at the component level.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident, reflecting credential-exfiltration scenarios where downstream cloud resource access enables data exfiltration from storage or databases rather than a contained single-application compromise
Frequency: For an organization running exposed LMDeploy instances in cloud environments with CISA KEV-confirmed active exploitation, illustrative threat event frequency is moderate-to-high (multiple credible threat actors per year targeting known-exploited AI serving infrastructure)
Annualized: Illustrative ALE: assuming one material exploitation event every 1–2 years at the stated magnitude range, annualized exposure is illustratively $250K–$5M; highly dependent on data sensitivity reachable via exfiltrated credentials and actual patch/compensating-control status
Basis: Magnitude derived from SSRF-to-metadata-service attack path: primary loss driver is not the LMDeploy application itself but the blast radius of exfiltrated cloud IAM credentials enabling access to co-located storage, databases, and services. Frequency anchored to CISA KEV active-exploitation status indicating organized threat actor interest. Range reflects variance between organizations with IMDSv2 enforcement and metadata service blocking (lower end) versus those with unrestricted IMDSv1 and broadly permissive IAM roles (upper end).
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• IAM credential exfiltration enabling access to regulated data stores may invoke cyber-insurance incident-reporting obligations — verify with broker.
• If personal or regulated data (PII, PHI, PCI-scoped data) is reachable via the compromised cloud credentials, state and federal breach-notification requirements may be triggered — verify with counsel.
• Cloud service agreements and data-processing addenda may contain security-incident disclosure requirements tied to unauthorized access to cloud infrastructure credentials — verify with counsel.
