ExpressVPN Windows Client Flaw Could Expose User Information

ExpressVPN disclosed a vulnerability in its Windows desktop client that, under specific circumstances, could have permitted the leakage of user connection details.

The flaw was discovered by security researcher Adam-X through ExpressVPN’s bug bounty program and pertains to Remote Desktop Protocol (RDP) and other TCP traffic routed over port 3389.

Although the bug did not compromise encryption, it risked revealing the user’s true IP address and the fact of an RDP connection to on-network observers or internet service providers.

ExpressVPN engineers traced the problem to debug code, originally intended for internal testing, which had inadvertently shipped in production builds of the Version 12 Windows client (specifically between releases 12.97 and 12.101.0.2-beta).

This debug routine failed to route TCP port 3389 traffic through the VPN tunnel as designed, allowing such connections to bypass ExpressVPN’s encrypted pathways.

Users engaging in RDP sessions to remote servers or sending any TCP traffic over port 3389 would therefore appear to connect directly, rather than through the protected VPN interface.

Upon receiving the report on April 25, ExpressVPN’s security team confirmed and triaged the issue within hours.

By April 30, they had released Version 12.101.0.45 of the Windows client, which removed the errant debug code and restored proper routing of port 3389 traffic through the VPN tunnel.

The fix was rapidly deployed across all official distribution channels, and the researcher verified its effectiveness immediately thereafter.

The report was formally closed at the end of June, marking the successful culmination of what ExpressVPN described as “a swift and thorough response.”

ExpressVPN emphasized that typical consumers are unlikely to have been affected, given that RDP is predominantly used in enterprise or specialized remote-access scenarios.

Moreover, exploiting the flaw would have required an attacker not only to be aware of the bug but also to engineer traffic over port 3389—potentially by tricking a user into visiting a malicious site or commandeering a legitimate webpage for drive-by content delivery.

Even in such targeted attacks, the exposure would have been limited to the user’s real IP address; no decryption of data streams or browsing history was possible.

Despite the narrow scope of impact, ExpressVPN reiterated its commitment to user privacy and security.

The company urged all Windows users to update to the latest client release—now available at expressvpn.com—to benefit from this and other routine improvements.

As VPNs continue to underpin secure remote work and personal privacy online, ExpressVPN’s rapid patch cycle underscores the importance of proactive vulnerability management and responsible disclosure in maintaining trust within the cybersecurity ecosystem.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now