Look for unusual ZIP extractions in system logs or the presence of .jsp files in unexpected directories like /OA_HTML/ .
Typically includes a simple JSP script that accepts commands via HTTP parameters (e.g., cmd.jsp?cmd=whoami ). hAX.zip
Help you has been targeted by this exploit? Oracle CVE-2022-21587 Technical Analysis - Zybnev Sergey Look for unusual ZIP extractions in system logs
Once decoded, the resulting ZIP file is extracted by the server. hAX.zip