ExpressVN has fixed a defect in its Windows Client, highlighting the actual IP address of users, causing a remote desktop protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel.
One of the major complexes of VPN is to mask the user’s IP address, making users online anonymous, and in some cases, bypassing the sensorship. Failing to do so is a serious technical failure for a VPN product.
ExpressVN is a major VPN service provider, which is constantly rated between top VPN services, and is used by millions worldwide. It uses the RAM-Caval server that users do not maintain data and follow an audited no-logs policy.
On April 25, 2025, a security researcher, known as “Adam-X”, reported a vulnerability through the Bag Bunty program of ExpressVN, in which RDP and other TCP traffic was sent to Port 3389.
On investigating, the ExpressVN team found that the issue is due to the remains of the dibg code used for internal testing, which is accidentally included in the production build, in particular, from 12.97 (released four months ago) to 12.101.0.2-bit.
“If a user has established a connection using RDP, it can bypass the traffic VPN tunnel,” Expressed expresswpn in an announcement,
“It did not affect encryption, but it meant that traffic from RDP connection was not routed as expected through expresswpn.”
“As a result, an observer, such as an ISP or a person on the same network, could not only be seen that the user was associated with expresswpn, but also that they were reaching the specific remote servers on RDP – which would be normally preserved.”
A patch was provided with the ExpressVN version 12.101.0.45, released on June 18, 2025.
The privacy firm notes that the security lapse did not compromise the encryption on the tunnels, and the leakage landscape only affects those using the remote desktop protocol (RDP), which they consider to be low for their customers.
“As mentioned above, in practice, this issue has generally affected users actively using RDP – a protocol that is usually not used by specific consumers,” reads the advisor to expressVPN.
“Given that the user base of expresswpn is mainly composed of individual users rather than enterprise customers, the number of affected users is likely to decrease.”
RDP is a Microsoft Network Protocol that enables users to control the Windows system on a network from a distance, used by IT administrators, distance workers and enterprises.
Nevertheless, it is recommended that the users upgrade their Windows clients in 12.101.0.45 version for final security.
ExpressVPN suggests that it will strengthen its internal build check to prevent a similar bug from being introduced in production in future, including increased automation in growth testing.
Last year, ExpressVPN faced another issue, leaking DNS request when users enabled the ‘slip tunling’ feature on the Windows client.
The facility was temporarily disabled until a fix was implemented in future release.
Include emerging hazards in real time – before they affect your business.
Learn how cloud detection and response (CDR) gives security teams the required edge in this practical, no-nonsense guide.
