CVE-2023-7334 Overview
CVE-2023-7334 is a critical insecure deserialization vulnerability affecting Changjetong T+ versions up to and including 16.x. The vulnerability exists in an AjaxPro endpoint that improperly handles .NET deserialization, allowing remote attackers to achieve arbitrary code execution on affected systems. A remote attacker can send a crafted request to the vulnerable endpoint /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This results in execution of arbitrary commands in the context of the T+ application service account.
Critical Impact
Unauthenticated remote code execution allowing attackers to execute arbitrary commands on the T+ application server, potentially leading to complete system compromise. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19.
Affected Products
- Changjetong T+ versions up to and including 16.x
- T+ ERP software installations exposing the AjaxPro endpoint
- Systems with the vulnerable GetStoreWarehouseByStore method accessible
Discovery Timeline
- 2023-08-19 - Exploitation evidence observed by Shadowserver Foundation
- 2026-01-15 - CVE CVE-2023-7334 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2023-7334
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The flaw resides in the AjaxPro framework implementation within Changjetong T+, specifically in how the application handles incoming JSON data during deserialization operations. The vulnerable endpoint does not properly validate or restrict the types that can be instantiated during the deserialization process, creating a classic .NET deserialization attack surface.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for internet-facing T+ installations. Successful exploitation allows attackers to invoke arbitrary .NET methods, most notably System.Diagnostics.Process.Start, which enables command execution with the privileges of the T+ application service account.
Root Cause
The root cause is improper handling of type information during .NET deserialization in the AjaxPro endpoint. The application accepts untrusted input containing type specifications that allow attackers to instantiate arbitrary .NET classes. Without proper type restrictions or input validation, the deserializer processes malicious payloads that specify dangerous types capable of executing system commands.
The vulnerable method GetStoreWarehouseByStore exposed through the .ashx handler does not implement adequate safeguards against deserialization attacks, such as type filtering or serialization binders that would restrict which classes can be instantiated from incoming data.
Attack Vector
The attack is executed via network access to the vulnerable AjaxPro endpoint. An attacker crafts a malicious HTTP POST request containing a specially formatted JSON body that includes serialized .NET type information. The payload leverages known deserialization gadget chains to instantiate objects that ultimately call methods like System.Diagnostics.Process.Start to execute arbitrary operating system commands.
The vulnerable endpoint is located at /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore. When the server processes the malicious request, the deserialization routine instantiates the attacker-specified types, triggering command execution in the security context of the T+ web application service account.
For technical details on the exploitation mechanism, refer to the VulnCheck Advisory on RCE and the GitHub PoC Script.
Detection Methods for CVE-2023-7334
Indicators of Compromise
- HTTP POST requests to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore containing unusual JSON payloads with .NET type specifications
- Presence of serialized .NET gadget chain indicators in web server access logs, particularly references to System.Diagnostics.Process or similar dangerous types
- Unexpected child processes spawned by the T+ application service account (e.g., cmd.exe, powershell.exe, or certutil.exe)
- Anomalous outbound network connections from the T+ server to unfamiliar external IP addresses
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing .NET deserialization gadget signatures targeting AjaxPro endpoints
- Configure endpoint detection and response (EDR) solutions to alert on suspicious process execution chains originating from the T+ web application process
- Deploy network intrusion detection signatures to identify exploitation attempts against the vulnerable GetStoreWarehouseByStore endpoint
- Review IIS or web server logs for requests to the vulnerable .ashx handler with unusually large or malformed JSON bodies
Monitoring Recommendations
- Enable detailed logging for all requests to AjaxPro endpoints within the T+ application
- Monitor for unexpected changes to system files, scheduled tasks, or user accounts on T+ servers
- Implement file integrity monitoring on T+ installation directories to detect webshell deployments or other persistence mechanisms
- Configure alerts for process creation events where the parent process is the T+ application pool identity
How to Mitigate CVE-2023-7334
Immediate Actions Required
- Restrict network access to T+ installations, ensuring the application is not directly exposed to the internet without proper security controls
- Implement web application firewall rules to block malicious requests targeting the vulnerable AjaxPro endpoint
- Apply network segmentation to isolate T+ servers from critical internal systems and limit lateral movement potential
- Monitor for indicators of compromise on systems running vulnerable T+ versions
Patch Information
Organizations should contact Chanjet directly for information about security updates addressing this vulnerability. Refer to the Chanjet Product Details page for vendor contact information and product support resources. Additional technical analysis is available from the VulnCheck Advisory.
Workarounds
- Disable or restrict access to the vulnerable AjaxPro endpoint /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx if the GetStoreWarehouseByStore functionality is not required
- Place T+ servers behind a reverse proxy that filters and inspects incoming requests for malicious deserialization payloads
- Run the T+ application under a dedicated service account with minimal privileges to limit the impact of successful exploitation
- Consider temporarily taking T+ offline if immediate patching is not possible and the system is exposed to untrusted networks
# Example IIS URL Rewrite rule to block access to vulnerable endpoint
# Add to web.config in the T+ application directory
# This blocks requests to the specific vulnerable method
# <rule name="Block CVE-2023-7334" stopProcessing="true">
# <match url=".*ajaxpro.*_PriorityLevel.*GetStoreWarehouseByStore.*" />
# <action type="CustomResponse" statusCode="403" statusReason="Forbidden" />
# </rule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
