ExpressVPN Windows Client Flaw Could Expose User Information

ExpressVPN disclosed a vulnerability in its Windows desktop client that, under specific circumstances, could have permitted the leakage of user connection details.

The flaw was discovered by security researcher Adam-X through ExpressVPN’s bug bounty program and pertains to Remote Desktop Protocol (RDP) and other TCP traffic routed over port 3389.

Although the bug did not compromise encryption, it risked revealing the user’s true IP address and the fact of an RDP connection to on-network observers or internet service providers.

ExpressVPN engineers traced the problem to debug code, originally intended for internal testing, which had inadvertently shipped in production builds of the Version 12 Windows client (specifically between releases 12.97 and 12.101.0.2-beta).

This debug routine failed to route TCP port 3389 traffic through the VPN tunnel as designed, allowing such connections to bypass ExpressVPN’s encrypted pathways.

Users engaging in RDP sessions to remote servers ...