CVE-2023-7334 – This CVE describes a critical .NET deserializat... (How to Fix)

Q: What is the severity of CVE-2023-7334?

CVE-2023-7334 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical .NET deserialization vulnerability in Changjetong T+ software that allows remote attackers to execute arbitrary code on affected systems. Attackers can send specially crafted requests to a vulnerable AjaxPro endpoint to trigger deserialization of malicious .NET types, leading to remote command execution. Organizations using Changjetong T+ versions up to 16.x are affected.

📋 TL;DR

This CVE describes a critical .NET deserialization vulnerability in Changjetong T+ software that allows remote attackers to execute arbitrary code on affected systems. Attackers can send specially crafted requests to a vulnerable AjaxPro endpoint to trigger deserialization of malicious .NET types, leading to remote command execution. Organizations using Changjetong T+ versions up to 16.x are affected.

💻 Affected Systems

Products:

Changjetong T+

Versions: Up to and including 16.x

Operating Systems: Windows (as .NET application)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint appears to be enabled by default in affected versions.

📦 What is this software?

T\+ by Chanjetvip

View all CVEs affecting T\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, data exfiltration, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Remote code execution leading to installation of backdoors, cryptocurrency miners, or data theft from the T+ application database.

🟢

If Mitigated

Limited impact if proper network segmentation, application firewalls, and endpoint protection are in place to block exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via HTTP requests and exploitation requires no authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to attackers who gain initial network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists and exploitation has been observed in the wild since August 2023. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 16.x

Vendor Advisory: https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62

Restart Required: Yes

Instructions:

1. Contact Changjetong vendor for latest patched version. 2. Backup current installation and data. 3. Apply vendor-provided patch or upgrade to version after 16.x. 4. Restart T+ application services. 5. Verify the vulnerable endpoint is no longer accessible or patched.

🔧 Temporary Workarounds

Block vulnerable endpoint via WAF/IPS

all

Configure web application firewall or intrusion prevention system to block requests to the vulnerable endpoint.

WAF/IPS specific rules to block: POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore

Application firewall rule

windows

Add URL rewrite rule in IIS to block access to the vulnerable endpoint.

<rule name="Block T+ RCE Endpoint" stopProcessing="true">
  <match url="^tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx" />
  <conditions>
    <add input="{QUERY_STRING}" pattern="method=GetStoreWarehouseByStore" />
  </conditions>
  <action type="AbortRequest" />
</rule>

🧯 If You Can't Patch

Implement strict network segmentation to isolate T+ servers from internet and other critical systems
Deploy endpoint detection and response (EDR) solutions with behavioral monitoring for suspicious process creation

🔍 How to Verify

Check if Vulnerable:

Check if the endpoint /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore exists and accepts POST requests with JSON payloads.

Check Version:

Check T+ application version through administrative interface or consult vendor documentation for version identification methods.

Verify Fix Applied:

Attempt to send a test payload to the vulnerable endpoint and verify it no longer processes deserialization requests or returns appropriate error/block messages.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx with method=GetStoreWarehouseByStore
Unusual process creation events from T+ application service account
JSON payloads containing .NET type names in request bodies

Network Indicators:

HTTP traffic to T+ servers containing serialized .NET objects in POST bodies
Outbound connections from T+ servers to suspicious external IPs following exploitation

SIEM Query:

source="web_server_logs" AND uri_path="/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx" AND query_string="method=GetStoreWarehouseByStore" AND http_method="POST"

📊 Metadata

CVE ID: CVE-2023-7334

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.47% exploit probability (64.1th percentile)

Published: January 15, 2026

Last Updated: January 23, 2026

🔗 References

https://blog.csdn.net/qq_53003652/article/details/134031230 Exploit,Third Party Advisory
https://blog.csdn.net/u010025272/article/details/131553591 Exploit,Third Party Advisory
https://github.com/MD-SEC/MDPOCS/blob/main/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py Product
https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62 Release Notes
https://www.freebuf.com/articles/web/381731.html Exploit,Third Party Advisory
https://www.vulncheck.com/advisories/changjetong-tplus-getstorewarehousebystore-deserialization-rce Third Party Advisory
https://www.freebuf.com/articles/web/381731.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-7334, you might also want to check these: