CVE-2023-7334

CVE-2023-7334 is a .NET deserialization vulnerability (CWE-502) affecting Changjetong T+ versions up to and including 16.x. The flaw resides in an AjaxPro endpoint, specifically at /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore, where the application deserializes untrusted input. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

A remote attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious JSON body to the affected endpoint. The deserialization of attacker-controlled .NET types allows invocation of arbitrary methods, such as System.Diagnostics.Process.Start, leading to remote code execution. Commands execute in the context of the T+ application service account, enabling full compromise of the host without requiring authentication or user interaction.

References include proof-of-concept exploit code on GitHub and detailed analyses on CSDN, Freebuf, and the vendor's product page, but no specific patch or mitigation guidance is detailed in the available information. Security practitioners should review these resources for reproduction steps and monitor affected systems.

Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC), predating the CVE publication on 2026-01-15, suggesting active in-the-wild use prior to formal disclosure.