CVE-2023-7334 CRITICAL

CVE-2023-7334: Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE

Vendor Changjetong Information Technology Co., Ltd.

Product T+

Weakness CWE-502 · Unsafe deserialization

Published January 15, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).

Key dates

02Disclosure timeline

January 15, 2026 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-7334

Related vulnerabilities

Identifiers

CVE CVE-2023-7334

CWE CWE-502

CVSS 9.3 / CRITICAL

Affected versions