ExpressVPN has fastened a flaw in its Home windows shopper that brought on Distant Desktop Protocol (RDP) visitors to bypass the digital non-public community (VPN) tunnel, exposing the customers’ actual IP addresses.
One of many key premises of a VPN is masking a consumer’s IP tackle, permitting customers to remain nameless on-line, and in some circumstances, bypass censorship. Failing to take action is a extreme technical failure for a VPN product.
ExpressVPN is a number one VPN service supplier, constantly rated among the many high VPN companies, and utilized by tens of millions worldwide. It makes use of RAM-only servers that do not retain consumer information and adheres to an audited no-logs coverage.
On April 25, 2025, a safety researcher generally known as “Adam-X” reported a vulnerability via ExpressVPN’s bug bounty program that uncovered RDP and different TCP visitors transmitted over port 3389.
Upon investigating, the ExpressVPN workforce discovered that the difficulty was brought on by remnants of debug code used for inner testing being mistakenly included in manufacturing builds, particularly, from 12.97 (launched 4 months in the past) to 12.101.0.2-beta.
“If a consumer established a connection utilizing RDP, that visitors might bypass the VPN tunnel,” reported ExpressVPN in an announcement.
“This didn’t have an effect on encryption, nevertheless it meant that visitors from RDP connections wasn’t routed via ExpressVPN as anticipated.”
“Consequently, an observer, like an ISP or somebody on the identical community, might have seen not solely that the consumer was linked to ExpressVPN, but additionally that they had been accessing particular distant servers over RDP—info that might usually be protected.”
A patch was made accessible with ExpressVPN model 12.101.0.45, launched on June 18, 2025.
The privateness agency notes that the safety lapse didn’t compromise encryption on the tunnels, and the leak eventualities solely have an effect on these utilizing Distant Desktop Protocol (RDP), which they take into account to be low-risk for his or her prospects.
“As talked about above, in observe, this concern would mostly have affected customers actively utilizing RDP—a protocol that is usually not utilized by typical shoppers,” reads ExpressVPN’s advisory.
“Provided that ExpressVPN’s consumer base is made up predominantly of particular person customers fairly than enterprise prospects, the variety of affected customers is probably going small.”
RDP is a Microsoft community protocol that allows customers to remotely management Home windows techniques over a community, utilized by IT directors, distant staff, and enterprises.
Nonetheless, it is strongly recommended that customers improve their Home windows shoppers to model 12.101.0.45 for final safety.
ExpressVPN states that it’ll strengthen its inner construct checks to forestall comparable bugs from being launched in manufacturing sooner or later, together with enhanced automation in growth testing.
Final 12 months, ExpressVPN confronted one other concern inflicting DNS request leaks when customers enabled the ‘slipt tunneling’ function on the Home windows shopper.
The function was quickly disabled till a repair was applied in a future launch.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, impression, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and quicker decision-making within the boardroom.
