Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).
Security readout for executives and security teams
Plain-English summary
Changjetong T+ has a critical remote code execution flaw in versions described as up to 16.x. An unauthenticated remote attacker could make the application deserialize malicious data and run commands as the T+ service account. This creates high business risk where T+ is exposed to untrusted networks.
Executive priority
Treat this as urgent for any exposed Changjetong T+ deployment. The flaw is unauthenticated, network-reachable, rated critical, and has public exploit material. Prioritize inventory, exposure reduction, and vendor-supported patching.
Technical view
The bundle describes CWE-502 .NET deserialization in a Changjetong T+ AjaxPro endpoint, affecting T+ through 16.x. Crafted JSON can cause attacker-controlled .NET type handling and arbitrary method invocation, leading to command execution under the application service context. Structured affected-version data is incomplete.
Likely exposure
Exposure is most likely for organizations running Changjetong T+ versions up to 16.x, especially if T+ web endpoints are reachable from the internet or partner networks. The bundle lacks complete CPE and exact fixed-version detail, so inventory confirmation is required.
Exploitation context
The bundle says Shadowserver observed exploitation evidence as early as 2023-08-19 and lists public exploit writeups and a PoC reference. It also says KEV is false, so this analysis does not claim current CISA-confirmed active exploitation.
Researcher notes
Avoid relying only on CVE structured affected data because the bundle’s version field is incomplete. The narrative states T+ through 16.x. Validate exposure through deployed version, endpoint reachability, logs, and vendor release information. Do not infer a fixed version not named in sources.
Mitigation direction
Check Changjetong or Chanjet vendor guidance and apply the supported T+ fix.
Identify and upgrade or retire T+ deployments described as up to 16.x.
Restrict untrusted network access to T+ web endpoints while remediation is pending.
Review service account privileges used by T+ and reduce unnecessary rights.
Increase monitoring for suspicious T+ web requests and child process activity.
Validation and detection
Confirm whether Changjetong T+ is deployed and record exact product versions.
Check whether T+ web endpoints are internet-facing or reachable from untrusted networks.
Review vendor release notes for the applicable patched build or mitigation.
Inspect logs for suspicious requests to the referenced AjaxPro functionality.
Look for unexpected processes spawned by the T+ application service account.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
7Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.