A critical vulnerability in ExpressVPN's Windows client allowed Remote Desktop Protocol traffic to bypass the VPN tunnel, exposing users' true IP addresses due to leftover debug code in production builds. Patched in June 2025, the flaw highlights persistent risks in VPN security despite the service's no-logs reputation. This incident underscores the fragility of digital anonymity tools and the need for rigorous development safeguards.