ExpressVPN mounted a defect in Home windows shoppers, induced Distant Desktop Protocol (RDP) visitors, bypassed digital personal community (VPN) tunnels, and uncovered the consumer’s precise IP deal with.
One of many key services of a VPN is to masks customers’ IP addresses and permit customers to stay nameless on-line. In some instances, bypassing censorship. In any other case, it’s a powerful technical impediment for VPN merchandise.
ExpressVPN is a number one VPN service supplier, persistently acknowledged among the many high VPN providers and is utilized by thousands and thousands of individuals all over the world. Use a RAM-only server that doesn’t retain consumer information and adheres to audited no-log insurance policies.
On April 25, 2025, a safety researcher referred to as “Adam-X” reported the vulnerability by way of ExpressVPN’s bug bounty program that uncovered RDP and different TCP visitors despatched to port 3389.
Upon investigation, the ExpressVPN crew discovered that the difficulty was brought on by by chance inclusion within the manufacturing builds of the stays of debug code used for inside testing, significantly from 12.97 (4 months in the past) to 12.101.0.2 beta.
“If a consumer establishes a connection utilizing RDP, that visitors might bypass the VPN tunnel,” the corporate reported ExpressVPN in its announcement.
“This had no impression on encryption, however that meant that visitors from the RDP connection was not routed by way of ExpressVPN as anticipated.”
“In consequence, observers like ISPs or somebody on the identical community might have seen that customers weren’t solely linked to ExpressVPN, but in addition accessing a selected distant server by way of RDP.
The patch is now obtainable for ExpressVPN model 12.101.0.45, launched on June 18th, 2025.
Privateness corporations consider that safety revocation doesn’t undermine tunnel encryption, and leak eventualities solely have an effect on eventualities utilizing Distant Desktop Protocol (RDP), and are low threat for purchasers.
“As talked about above, in observe, this challenge will positively have an effect on customers utilizing RDP, a protocol not generally utilized by typical customers,” the ExpressVPN advisory reads.
“Given ExpressVPN’s consumer base is primarily made up of particular person customers quite than enterprise clients, the variety of customers affected could also be small.”
RDP is a Microsoft community protocol that permits customers to remotely management Home windows programs over the networks utilized by IT directors, distant employees, and companies.
Nonetheless, customers are inspired to improve their Home windows shopper to model 12.101.0.45 for final safety.
ExpressVPN says it would improve inside construct checks to forestall related bugs from being launched in future manufacturing, together with enhanced automation in growth testing.
Final 12 months, ExpressVPN confronted one other challenge that induced DNS requests to leak when customers enabled the “Slipt Tunneling” function on Home windows shoppers.
This function was quickly disabled till a repair was carried out in a future launch.