266/68 Wednesday, July 23, 2025
ExpressVPN, one of the world’s leading VPN providers, has released an urgent patch to address a vulnerability in its Windows client software. The issue was discovered when it was found that using the Remote Desktop Protocol (RDP) could cause certain traffic to leak outside the VPN tunnel. This exposed users’ real IP addresses and the remote destination they were connected to-information that should have remained protected within the VPN for privacy. Although the vulnerability did not affect the encryption of the VPN tunnel itself, it represented a serious flaw in anonymity protection.
The flaw was reported on April 25, 2025, by a security researcher known as “Adam-X” through the company’s Bug Bounty program. It was traced back to leftover internal debug code present in public releases-specifically versions 12.97 through 12.101.0.2-beta. This caused traffic over port 3389 (used for RDP) to bypass the VPN tunnel. ExpressVPN released a fix in version 12.101.0.45 on June 18, 2025, and confirmed that only a small number of users were affected, as RDP is generally used by IT administrators or within corporate environments rather than by the average user.
The company stated it has enhanced its internal release validation process, improving development accuracy through automated systems to prevent similar issues in the future. ExpressVPN strongly urges all Windows users to update to the latest version immediately. The company also referenced a similar issue in the past involving DNS request leaks during use of the “split tunneling” feature, which was temporarily disabled and subsequently patched. ExpressVPN reaffirmed its commitment to user privacy, highlighting its strict no-logs policy and RAM-only server infrastructure, which has undergone independent audits.
