Skip to main content
Skip to main content
Microsoft Security Intelligence
Published Nov 08, 2021 | Updated Nov 09, 2021


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Microsoft Defender Antivirus detects and removes this threat.

Threat actors exploit the CVE-2021-40539 vulnerability to compromise systems running the ZOHO ManageEngine ADSelfService Plus software.

Threat actors could take control of the target device and perform several activities including credential dumping, installing custom binaries, and dropping malware, such as a custom IIS module and the Zebracon trojan, to maintain persistence and move laterally within the network.

Read the following Microsoft Security blog for more information:

Microsoft Defender Antivirus  automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.

Microsoft 365 Defender correlates any related alerts into incidents to help customers determine if the observed alerts are related to this activity, and to get an overview of the attack story. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this activity. Additionally, Threat and Vulnerability Management (TVM) in Microsoft 365 Defender supports insights related to CVE-2021-40539. Microsoft 365 Defender customers can find any affected devices in their environment and initiate the appropriate version update of the ManageEngine software.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us