Recently, a security researcher brought to light a vulnerability in ExpressVPN’s Windows application—a reminder that even the most trusted security solutions require ongoing scrutiny and rapid response. In a swift move, ExpressVPN has issued an important update to address the issue and reinforce user privacy.
Vulnerability
The vulnerability was found in certain versions of ExpressVPN’s Windows desktop client—specifically versions 12.97 through 12.101.0.2-beta. The problem, first reported by security researchers through ExpressVPN’s bug bounty program, stemmed from debug code that was mistakenly included in the production releases. This debug code affected how network traffic was routed when users employed Remote Desktop Protocol (RDP) or other TCP traffic over port 3389.
Under normal circumstances, VPNs are designed to secure all user traffic by routing it through an encrypted tunnel. However, due to this bug, traffic over port 3389 could bypass the VPN tunnel, potentially exposing the user’s real IP address and the remote server they were connecting to. It didn’t weaken encryption or reveal browsing activity, but it could have allowed an observer such as an ISP or someone on the same network to identify a user’s true IP address and the destination of their RDP connections.
The patch was released as version 12.101.0.45, which removed the debug code and ensured all traffic was correctly routed through the VPN tunnel. To update, visit their Downloads page, or you should see a banner at top of the application when/if an update is available.
For most users, especially individual consumers, the likelihood of this vulnerability being exploited is extremely low. The flaw primarily affected enterprise users employing RDP, a protocol more common in business environments. Exploiting it would require targeted knowledge of the vulnerability, along with specific conditions—such as tricking someone into triggering traffic over port 3389 or visiting malicious sites designed to exploit this port.
Importantly, while the bug could have revealed a user’s real IP address, it did not compromise any browsing activity or the encryption of the data itself.
To prevent similar vulnerabilities in the future, ExpressVPN is enhancing its development processes including implementing more robust automated tests to catch debug or test code before it reaches production, reducing the risk of human error, and improving internal safeguards to ensure only secure code is deployed.
As always, staying vigilant and promptly applying updates is your best defense in the evolving landscape of cybersecurity. Read ExpressVPN’s blog post for more information on the findings and fixes.
Leave a Reply