A debug configuration error in recent ExpressVPN Windows builds allowed Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ real IP addresses.
While the issue impacted a narrow subset of users under specific conditions, ExpressVPN has issued a patch and strengthened internal processes to prevent recurrence.
The flaw was initially reported on April 25, 2025, by independent security researcher “Adam-X” via ExpressVPN’s bug bounty platform. According to the company's announcement, the researcher discovered that TCP traffic on port 3389, commonly used for RDP, was not consistently routed through the VPN tunnel in certain app versions. The leak occurred in builds 12.97 through 12.101.0.2-beta due to leftover debug code inadvertently shipped with production releases. ExpressVPN triaged and confirmed the issue within hours of receiving the report.
The vulnerability allowed RDP sessions, or any TCP traffic over port 3389, to bypass the VPN tunnel and reach their destination directly. Although encryption was not compromised, the exposed traffic could have revealed users’ real IP addresses and the specific remote servers they accessed. This undermines a core expectation of VPN use, concealing the origin and destination of internet traffic, even though no content or session data was at risk.
ExpressVPN, a major player in the privacy-focused VPN space known for its strong stance on user anonymity and security, pushed a fix just five days later in version 12.101.0.45. The patch has now been distributed through all update channels. Adam-X verified the effectiveness of the fix, and the issue was formally closed by the end of June.
While most of ExpressVPN's customer base comprises individual users, not enterprise environments where RDP is more common, the company acknowledged that any traffic leak, no matter how edge-case, violates its privacy standards. The theoretical risk extended beyond RDP; any attacker aware of the bug could have crafted content delivered over port 3389 to unmask a user’s IP, including via drive-by attacks or compromised websites. Still, ExpressVPN believes real-world exploitation was extremely unlikely.
The company has reinforced its internal release procedures to prevent similar oversights. This includes improving automated build checks, tightening detection for test code, and further isolating debug features from production pipelines. These measures are aimed at ensuring no remnants of internal testing configurations make it into software released to end users.
Users running ExpressVPN on Windows are advised to update to version 12.101.0.45 or newer to ensure proper tunnel handling and full privacy protection. While the bug's exploitability was limited, it serves as a reminder that even minor code slipups can lead to unexpected privacy exposures in software built for anonymity.
Users concerned with potential leaks can enable the VPN's “Network Lock” kill switch and monitor traffic for anomalous patterns. Keeping VPN apps and operating systems updated remains a foundational security practice.
Leave a Reply