ExpressVPN has disclosed a security vulnerability in its Windows application that could have exposed users’ real IP addresses when using Remote Desktop Protocol (RDP) connections or other traffic routed through TCP port 3389.
The issue affected versions 12.97 through 12.101.0.2-beta and has since been patched in version 12.101.0.45, with the company recommending all Windows users update immediately to the latest version 12.103.0.22.
The vulnerability was discovered and reported by security researcher Adam-X through ExpressVPN’s bug bounty program on April 25, 2024.
The root cause was traced to debug code originally intended for internal testing that mistakenly made it into production builds of the Windows application.
When the bug was active, traffic sent over TCP port 3389 would bypass the VPN tunnel entirely, meaning it would not be routed through ExpressVPN’s servers as expected.
While this did not compromise the encryption of the traffic itself, it meant that network observers such as internet service providers or other parties on the same network could potentially see both that a user was connected to ExpressVPN and that they were accessing specific remote servers.
ExpressVPN’s engineering team confirmed and triaged the report within hours of receiving it, demonstrating the company’s commitment to rapid response for security issues.
The researcher later confirmed that the fix successfully resolved the vulnerability, and the report was formally closed at the end of June.
ExpressVPN Windows Vulnerability
Despite the serious nature of any VPN bypass vulnerability, ExpressVPN’s analysis suggests the real-world impact was likely minimal.
The issue primarily affected users actively utilizing RDP, a protocol predominantly used in enterprise environments rather than by typical consumer users who make up the majority of ExpressVPN’s customer base.
Key factors limiting the vulnerability’s impact include:
- Limited user base: The issue primarily affected RDP users, which represents a small subset of ExpressVPN’s predominantly consumer-focused customer base.
- High exploitation requirements: Attackers needed prior knowledge of the vulnerability and methods to trigger traffic over port 3389.
- Targeted attack scenarios: Exploitation required tricking users into visiting malicious websites or compromising legitimate sites for drive-by attacks.
- Scope of exposure: Even successful attacks only revealed users’ real IP addresses without compromising browsing activity or traffic encryption.
The vulnerability affected any TCP traffic sent over port 3389, not exclusively RDP connections, meaning attackers could theoretically craft other types of content to exploit the bypass.
However, even in successful exploitation scenarios, the exposure remained limited to IP address revelation.
Enhanced Security Measures
In response to this incident, ExpressVPN has implemented stronger internal safeguards designed to prevent similar issues from occurring in future releases.
The company is enhancing its automated testing procedures to better identify and remove debug code before it reaches production environments.
These improvements include more targeted checks specifically designed to flag test settings earlier in the development process, reducing the likelihood of human error and strengthening overall user protections.
The company emphasizes that while this type of scenario is uncommon for most users, any risk to user privacy is considered unacceptable.
ExpressVPN continues to operate its bug bounty program, encouraging security researchers to responsibly disclose vulnerabilities.
The company has expressed gratitude to Adam-X for the responsible disclosure and prompt reporting of this issue, which enabled a rapid response and resolution.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.