CVE-2023-50786 – This vulnerability in Dradis allows authorized ... (How to Fix)

Q: What is the severity of CVE-2023-50786?

CVE-2023-50786 has a CVSS score of 4.1 (MEDIUM). This vulnerability in Dradis allows authorized authors to embed external HTTPS images that can trigger NTLM authentication requests from Windows domain users. When other authors view these images, their Net-NTLM hashes may be captured by an attacker-controlled server. This affects Dradis instances running on Windows domain networks where multiple authors collaborate.

📋 TL;DR

This vulnerability in Dradis allows authorized authors to embed external HTTPS images that can trigger NTLM authentication requests from Windows domain users. When other authors view these images, their Net-NTLM hashes may be captured by an attacker-controlled server. This affects Dradis instances running on Windows domain networks where multiple authors collaborate.

💻 Affected Systems

Products:

Dradis

Versions: through 4.16.0

Operating Systems: Windows (for NTLM hash capture)

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when Dradis is used in Windows domain environments with multiple authors. The vulnerability exists in all configurations but requires specific conditions for impact.

📦 What is this software?

Dradis by Dradisframework

View all CVEs affecting Dradis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could capture Net-NTLM hashes from all domain users accessing the Dradis instance, potentially enabling credential relay attacks, lateral movement, and domain compromise.

🟠

Likely Case

An authorized malicious author captures Net-NTLM hashes from other authors viewing their content, enabling targeted credential attacks against specific users.

🟢

If Mitigated

With proper network segmentation and monitoring, hash capture attempts are detected and blocked before successful exploitation.

🌐 Internet-Facing: LOW - The vulnerability requires authorized access and targets internal Windows domain authentication.

🏢 Internal Only: MEDIUM - Requires authorized access but can lead to credential theft within Windows domain environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires author-level access to Dradis. The technique for NTLM hash capture via external resources is well-documented and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.1 or later

Vendor Advisory: https://dradis.com/

Restart Required: Yes

Instructions:

1. Backup your Dradis instance. 2. Update to Dradis version 4.16.1 or later. 3. Restart the Dradis service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable external image embedding

all

Configure Dradis to only allow embedded/uploaded images and block external image references

Modify Dradis configuration to set 'allow_external_images: false'

Network segmentation

all

Block outbound SMB/NTLM authentication from Dradis servers to untrusted networks

Configure firewall rules to block TCP ports 139, 445 and SMB protocol to external networks

🧯 If You Can't Patch

Restrict author permissions to trusted users only and implement strict user access reviews
Monitor outbound SMB/NTLM authentication attempts from Dradis servers and investigate any to external IPs

🔍 How to Verify

Check if Vulnerable:

Check Dradis version: if version is 4.16.0 or earlier, the system is vulnerable

Check Version:

Check Dradis web interface admin panel or run 'bundle exec rails about' in Dradis directory

Verify Fix Applied:

Verify Dradis version is 4.16.1 or later and test that external image embedding is blocked

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts from Dradis server to external resources
Multiple image load failures in Dradis logs

Network Indicators:

Outbound SMB/NTLM authentication attempts from Dradis server to external IPs
HTTP requests to unknown image hosting services

SIEM Query:

source="dradis" AND (event="image_load_failure" OR event="external_resource_access")

📊 Metadata

CVE ID: CVE-2023-50786

CVSS v3 Score: 4.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE: CWE-294

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: July 5, 2025

Last Updated: November 7, 2025

🔗 References

https://dradis.com/ Product
https://dradis.com/ce Product
https://securiteam.io/2025/07/04/cve-2023-50786-dradis-ntlm-theft-vulnerability/ Third Party Advisory
https://securiteam.io/2025/07/04/cve-2023-50786-dradis-ntlm-theft-vulnerability/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50786, you might also want to check these: