In a stark reminder that even top-tier privacy tools can harbor critical flaws, ExpressVPN recently fixed a vulnerability in its Windows client that leaked users' real IP addresses during Remote Desktop Protocol (RDP) sessions. The bug, which persisted in production builds for months, allowed RDP traffic to circumvent the encrypted VPN tunnel—directly undermining the core promise of anonymity that draws millions to such services.

The Vulnerability: How Debug Code Undermined Privacy

The flaw stemmed from remnants of internal debug code mistakenly included in ExpressVPN releases from version 12.97 (launched in early 2025) through 12.101.0.2-beta. This caused all TCP traffic over port 3389—the default for RDP—to bypass the VPN. As ExpressVPN confirmed:

"If a user established a connection using RDP, that traffic could bypass the VPN tunnel. This did not affect encryption, but it meant an observer, like an ISP or someone on the same network, could have seen the user was accessing specific remote servers over RDP—information normally protected."

While encrypted data remained secure, the exposure of real IPs could reveal a user's location and activities, particularly dangerous for those in regions with strict censorship or surveillance. Security researcher "Adam-X" reported the issue via ExpressVPN's bug bounty program on April 25, 2025, triggering an internal investigation.

Scope and Mitigation: Limited Impact, But Lasting Lessons

ExpressVPN downplayed immediate risks, noting that RDP is primarily used by enterprises and IT administrators, not typical consumers who dominate its user base. The company released a patch (version 12.101.0.45) on June 18, 2025, and urged all Windows users to upgrade immediately. Crucially, the breach didn't compromise ExpressVPN's encryption or no-logs policy, but it exposed systemic gaps in quality control.

In response, ExpressVPN pledged enhanced build checks and automated testing to prevent similar oversights—a necessary step given its history, including a 2024 DNS leak tied to split tunneling. This pattern suggests VPN providers must prioritize security over rapid feature deployment, especially as remote work tools like RDP become ubiquitous.

The incident serves as a cautionary tale: Trust in VPNs hinges on invisible technical rigor, and one stray line of debug code can shatter the veil of anonymity overnight. For developers, it reinforces the non-negotiable need for robust CI/CD pipelines; for users, it's a prompt to scrutinize even the most reputable privacy shields.

Source: BleepingComputer