ExpressVPN has mounted a flaw in its Home windows consumer that precipitated Distant Desktop Protocol (RDP) visitors to bypass the digital personal community (VPN) tunnel, exposing the customers’ actual IP addresses.
One of many key premises of a VPN is masking a consumer’s IP deal with, permitting customers to remain nameless on-line, and in some instances, bypass censorship. Failing to take action is a extreme technical failure for a VPN product.
ExpressVPN is a number one VPN service supplier, constantly rated among the many high VPN companies, and utilized by thousands and thousands worldwide. It makes use of RAM-only servers that do not retain consumer knowledge and adheres to an audited no-logs coverage.
On April 25, 2025, a safety researcher referred to as “Adam-X” reported a vulnerability by way of ExpressVPN’s bug bounty program that uncovered RDP and different TCP visitors transmitted over port 3389.
Upon investigating, the ExpressVPN staff discovered that the problem was brought on by remnants of debug code used for inner testing being mistakenly included in manufacturing builds, particularly, from 12.97 (launched 4 months in the past) to 12.101.0.2-beta.
“If a consumer established a connection utilizing RDP, that visitors might bypass the VPN tunnel,” reported ExpressVPN in an announcement.
“This didn’t have an effect on encryption, however it meant that visitors from RDP connections wasn’t routed by way of ExpressVPN as anticipated.”
“In consequence, an observer, like an ISP or somebody on the identical community, might have seen not solely that the consumer was related to ExpressVPN, but additionally that they have been accessing particular distant servers over RDP—info that may usually be protected.”
A patch was made accessible with ExpressVPN model 12.101.0.45, launched on June 18, 2025.
The privateness agency notes that the safety lapse didn’t compromise encryption on the tunnels, and the leak eventualities solely have an effect on these utilizing Distant Desktop Protocol (RDP), which they take into account to be low-risk for his or her clients.
“As talked about above, in apply, this concern would mostly have affected customers actively utilizing RDP—a protocol that is usually not utilized by typical shoppers,” reads ExpressVPN’s advisory.
“On condition that ExpressVPN’s consumer base is made up predominantly of particular person customers moderately than enterprise clients, the variety of affected customers is probably going small.”
RDP is a Microsoft community protocol that allows customers to remotely management Home windows techniques over a community, utilized by IT directors, distant employees, and enterprises.
Nonetheless, it is suggested that customers improve their Home windows purchasers to model 12.101.0.45 for final safety.
ExpressVPN states that it’ll strengthen its inner construct checks to stop comparable bugs from being launched in manufacturing sooner or later, together with enhanced automation in growth testing.
Final yr, ExpressVPN confronted one other concern inflicting DNS request leaks when customers enabled the ‘slipt tunneling’ characteristic on the Home windows consumer.
The characteristic was quickly disabled till a repair was applied in a future launch.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current threat, affect, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
