After a tip, ExpressVPN updates its Windows app to strengthen protections

As part of our ongoing efforts to ensure ExpressVPN remains the most secure VPN on the market, we continue to invest in identifying and fixing vulnerabilities to keep our users safe.

ExpressVPN’s engineers have deployed a fix to our Version 12 app for Windows, following a tip from a security researcher about how certain Remote Desktop traffic was being routed.

While the issue only affected users under specific conditions—namely, when a Remote Desktop Protocol (RDP) connection was in use or when other TCP traffic was routed over port 3389—we take any risk to user privacy seriously. Version 12.101.0.45 includes a security fix for this issue, along with other general improvements and routine bug fixes.

We recommend all Windows users update to the latest version of our desktop app to ensure they benefit from the most secure and reliable VPN experience available.

What we fixed

With help from our bug bounty community, we identified and fixed an issue in certain recent versions of our Windows app where traffic over TCP port 3389 wasn’t being routed through the VPN tunnel as expected.

The problem was traced to a piece of debug code (originally intended for internal testing) that mistakenly made it into production builds (versions 12.97 to 12.101.0.2-beta). The issue was reported to us on April 25 by a security researcher, Adam-X, through our bug bounty platform. Our team confirmed and triaged the report within hours.

As a result of the bug, if a user established a connection using RDP, that traffic could bypass the VPN tunnel. This did not affect encryption, but it meant that traffic from RDP connections wasn’t routed through ExpressVPN as expected. As a result, an observer, like an ISP or someone on the same network, could have seen not only that the user was connected to ExpressVPN, but also that they were accessing specific remote servers over RDP—information that would normally be protected.

We released a fix five days later in version 12.101.0.45, and the update has since been rolled out across all distribution channels. The issue was confirmed as resolved by the researcher shortly after release, and the report was formally closed at the end of June. We’re grateful to Adam-X for responsibly disclosing this issue.

While this scenario is uncommon for most users (RDP is primarily used in enterprise environments), we consider any risk to privacy unacceptable.

How likely were you to be affected?

As mentioned above, in practice, this issue would most commonly have affected users actively using RDP—a protocol that’s generally not used by typical consumers. Given that ExpressVPN’s user base is made up predominantly of individual users rather than enterprise customers, the number of affected users is likely small.

For an attacker to actively exploit the issue, they would first need to know about the bug and then find a way to trigger traffic over port 3389. That could mean tricking someone into visiting a malicious site, or compromising a popular website to carry out a drive-by attack while they were connected to the VPN.

Because the leak applied to any TCP traffic sent over port 3389—not just RDP—these kinds of targeted attacks could, in theory, involve loading other types of content (like web requests) over that port to reveal the user’s real IP address. This reflects what the original researcher demonstrated.

Even in those rare cases, the exposure would have been limited to the user’s real IP address. It did not reveal their browsing activity or compromise the encryption of any traffic, including RDP sessions.

How we’re preventing this in future

To make sure this kind of issue doesn’t happen again, we’re strengthening our internal safeguards with more targeted checks to better catch debug code before it can reach production. This includes improving automated tests to flag and remove test settings earlier in development, reducing the chance of human error and helping us deliver even stronger protections for our users.

For more details on our response to this incident, please consult our Support Center.

A word of thanks

ExpressVPN is extremely grateful to our extensive community of customers, beta testers, and experts who take the time to notify us of potential issues or to suggest improvements in our products. We invite anyone interested to join our beta testing program, and we offer a generous bug bounty to security researchers who report problems, no matter how small, that allow us to make our apps safer and better for all our users around the world.