ExpressVPN has patched a critical flaw in its Windows client that allowed Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users’ real IP addresses.
A VPN’s core purpose is to mask users’ IPs, ensuring privacy and anonymity online. This leak, reported on April 25, 2025, by security researcher “Adam-X” via ExpressVPN’s bug bounty program, exposed RDP and other TCP traffic sent over port 3389, undermining that promise.
The issue was traced back to leftover debug code mistakenly included in production builds between versions 12.97 and 12.101.0.2-beta. ExpressVPN confirmed that RDP connections were not routed through the VPN tunnel, meaning ISPs or network observers could see not only the user’s VPN connection but also the specific remote servers accessed via RDP.
ExpressVPN released a patch in version 12.101.0.45 on June 18, 2025. The company reassured users that encryption remained intact, and the leak primarily affected users actively utilizing RDP—a protocol mostly used by IT professionals and enterprises rather than typical consumers.
RDP allows remote control of Windows machines and is widely used by system administrators and remote workers. ExpressVPN advised all users to update their Windows client immediately for full protection.
To prevent similar issues, ExpressVPN plans to enhance its internal build checks and increase automation in development testing.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
This isn’t the first time ExpressVPN’s Windows client faced leaks. In 2024, the company temporarily disabled the ‘split tunneling’ feature after discovering it caused DNS request leaks, fixing it in a subsequent update.
