Hax.zip Apr 2026

Look for unusual ZIP extractions in system logs or the presence of .jsp files in unexpected directories like /OA_HTML/ .

The vulnerability exists in the BneMultipartRequest class, which handles file uploads for the Oracle Web Applications Desktop Integrator (Web ADI). Arbitrary File Upload leading to RCE.

The ZIP itself is often wrapped in uuencode format to satisfy specific backend processing requirements before it is unzipped. 🛡️ Mitigation and Detection If you are analyzing this file or its behavior on a server: hAX.zip

The ZIP contains files with paths like ../../../../path/to/shell.jsp to escape the intended upload folder.

Once decoded, the resulting ZIP file is extracted by the server. Look for unusual ZIP extractions in system logs

Attackers use a specially crafted ZIP file (often named hax.zip in security write-ups) to bypass directory restrictions. Mechanism: The system accepts a uuencoded file.

Security researchers often structure this ZIP file to exploit the extraction process: The ZIP itself is often wrapped in uuencode

Ensure Oracle E-Business Suite is patched against CVE-2022-21587 .