ExpressVPN has alerted users of a security issue in its Windows application that allowed certain Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ IP addresses. This vulnerability primarily affected TCP traffic routed over port 3389, the standard port for RDP connections, which are often used in enterprise environments rather than by typical consumers.
The issue was discovered after a tip from a security researcher, prompting ExpressVPN’s engineers to release an urgent fix. According to the company, “following a tip from a security researcher about how certain Remote Desktop traffic was being routed,” they deployed a security update to their Version 12 Windows app. This update, Version 12.101.0.45, not only fixed the vulnerability but also included other general improvements and routine bug fixes.
Nature of the ExpressVPN Vulnerability and How It Was Addressed
The problem was traced back to debug code originally meant for internal testing that mistakenly shipped with production versions of the app, specifically from versions 12.97 to 12.101.0.2-beta. This debug code caused traffic over TCP port 3389 to be routed outside the VPN tunnel. ExpressVPN explained, “With help from our bug bounty community, we identified and fixed an issue in certain recent versions of our Windows app where traffic over TCP port 3389 wasn’t being routed through the VPN tunnel as expected.”
This vulnerability meant that when a user connected through RDP, their traffic wasn’t protected by the VPN routing as it should have been. While the encryption of the traffic itself remained intact, the leak allowed observers such as Internet Service Providers (ISPs) or local network eavesdroppers to see that the user was connected to ExpressVPN and accessing specific remote servers via RDP, information normally shielded by the VPN.
The flaw was responsibly reported by security researcher Adam-X through ExpressVPN’s bug bounty platform on April 25. The company responded, confirming and triaging the issue within hours and releasing a fix five days later. The fixed rollout was completed across all distribution channels, and the researcher confirmed the resolution soon after.
Assessing the Impact and Risks
Although the issue could theoretically affect any TCP traffic over port 3389, not just RDP sessions, the typical ExpressVPN user is unlikely to encounter this vulnerability. The company emphasized that “this scenario is uncommon for most users (RDP is primarily used in enterprise environments),” and given that ExpressVPN’s user base mainly consists of individual consumers rather than enterprise clients, the number of potentially impacted users was probably small.
For a malicious actor to exploit the vulnerability, they would need to be aware of the bug and find a way to trigger traffic over port 3389, perhaps by tricking a user into visiting a compromised website or executing a drive-by attack. Even in such cases, ExpressVPN clarified that “the exposure would have been limited to the user’s real IP address. It did not reveal their browsing activity or compromise the encryption of any traffic, including RDP sessions.”
Conclusion
To prevent similar issues, ExpressVPN is enhancing its internal testing processes, including “improving automated tests to flag and remove test settings earlier in development,” reducing human error, and helping ensure that debug code does not reach production.
Users are strongly advised to update to the latest app version to maintain full protection and ensure all traffic, including RDP over port 3389, is properly routed through the VPN tunnel.
