ExpressVPN has mounted a flaw in its Home windows consumer that precipitated Distant Desktop Protocol (RDP) site visitors to bypass the digital personal community (VPN) tunnel, exposing the customers’ actual IP addresses.
One of many key premises of a VPN is masking a person’s IP handle, permitting customers to remain nameless on-line, and in some instances, bypass censorship. Failing to take action is a extreme technical failure for a VPN product.
ExpressVPN is a number one VPN service supplier, persistently rated among the many prime VPN companies, and utilized by hundreds of thousands worldwide. It makes use of RAM-only servers that do not retain person knowledge and adheres to an audited no-logs coverage.
On April 25, 2025, a safety researcher generally known as “Adam-X” reported a vulnerability by ExpressVPN’s bug bounty program that uncovered RDP and different TCP site visitors transmitted over port 3389.
Upon investigating, the ExpressVPN crew discovered that the problem was brought on by remnants of debug code used for inner testing being mistakenly included in manufacturing builds, particularly, from 12.97 (launched 4 months in the past) to 12.101.0.2-beta.
“If a person established a connection utilizing RDP, that site visitors might bypass the VPN tunnel,” reported ExpressVPN in an announcement.
“This didn’t have an effect on encryption, however it meant that site visitors from RDP connections wasn’t routed by ExpressVPN as anticipated.”
“Because of this, an observer, like an ISP or somebody on the identical community, might have seen not solely that the person was linked to ExpressVPN, but in addition that they have been accessing particular distant servers over RDP—data that may usually be protected.”
A patch was made accessible with ExpressVPN model 12.101.0.45, launched on June 18, 2025.
The privateness agency notes that the safety lapse didn’t compromise encryption on the tunnels, and the leak situations solely have an effect on these utilizing Distant Desktop Protocol (RDP), which they contemplate to be low-risk for his or her clients.
“As talked about above, in follow, this situation would mostly have affected customers actively utilizing RDP—a protocol that is typically not utilized by typical customers,” reads ExpressVPN’s advisory.
“On condition that ExpressVPN’s person base is made up predominantly of particular person customers moderately than enterprise clients, the variety of affected customers is probably going small.”
RDP is a Microsoft community protocol that permits customers to remotely management Home windows programs over a community, utilized by IT directors, distant employees, and enterprises.
Nonetheless, it is strongly recommended that customers improve their Home windows purchasers to model 12.101.0.45 for final safety.
ExpressVPN states that it’s going to strengthen its inner construct checks to forestall related bugs from being launched in manufacturing sooner or later, together with enhanced automation in improvement testing.
Final 12 months, ExpressVPN confronted one other situation inflicting DNS request leaks when customers enabled the ‘slipt tunneling’ function on the Home windows consumer.
The function was quickly disabled till a repair was carried out in a future launch.
CISOs know that getting board buy-in begins with a transparent, strategic view of how cloud safety drives enterprise worth.
This free, editable board report deck helps safety leaders current danger, impression, and priorities in clear enterprise phrases. Flip safety updates into significant conversations and sooner decision-making within the boardroom.
