A security vulnerability exists in ZOHO ManageEngine ADSelfService Plus, ZOHO’s integrated self-service password management and single sign-on solution for Active Directory and cloud applications. The vulnerability stems from build 6116 of ManageEngine ADSelfService Plus containing an observable response discrepancy in the UMCP operation of ChangePasswordAPI. A remote, unauthenticated attacker could use this vulnerability to determine if a Windows domain user exists.