ExpressVPN has disclosed a vulnerability in their Windows application that, in certain specific cases, could lead to the leakage of user connection information.

Details of the Vulnerability

This vulnerability was discovered by security expert Adam-X through ExpressVPN's bug bounty program. The exploitation method involves the Remote Desktop Protocol (RDP) and other TCP traffic through port 3389. Although this flaw does not affect data encryption, it poses a risk of revealing the user's real IP address and the addresses of RDP connections.

ExpressVPN engineers traced the issue to debug code, which was initially used for internal testing but was inadvertently included in official releases of ExpressVPN Windows version 12 (specifically between versions 12.97 and 12.101.0.2-beta).

This debug code failed to route TCP traffic on port 3389 through the VPN tunnel as designed, allowing those connections to bypass it. As a result, when users engaged in RDP sessions to remote servers or sent any TCP traffic through port 3389, it connected directly instead of through the VPN.

Fixing the Vulnerability

After receiving the report on April 25, ExpressVPN's security team confirmed and addressed the issue within a few hours. By April 30, they released version 12.101.0.45 of the Windows Client, removing the erroneous debug code and restoring the correct routing of port 3389 traffic through the VPN tunnel.

ExpressVPN emphasized that regular users are unlikely to be affected, as RDP is primarily used in specialized remote access or enterprise scenarios. Furthermore, exploiting this vulnerability requires an attacker not only to be aware of the flaw but also to craft traffic through port 3389—potentially by tricking users into visiting a malicious website or hijacking a legitimate site to distribute content automatically.

Even in such targeted attacks, the attacker would only be able to collect the user's real IP address; they cannot decrypt data streams or browsing history.

Recommendations

FPT Threat Intelligence recommends several measures for organizations and individuals to prevent attacks targeting this vulnerability:

• Immediately update to the latest software version: Update ExpressVPN Windows Client to version 12.101.0.45 or later to ensure that RDP traffic and connections through port 3389 are securely routed through the VPN tunnel.

• Recheck system configuration: For organizations or individuals frequently using RDP, check firewall configurations and remote access policies to ensure connections are not leaking outside the VPN in previous versions.

• Monitor unusual network traffic: Enhance monitoring to detect unusual traffic through port 3389, especially from unidentified sources. This could indicate exploitation attempts or scanning activities by attackers.

• Raise user security awareness: Warn users not to click on strange links, visit unknown websites, or download software from untrustworthy sources—these are channels attackers might exploit to leverage the vulnerability.

References

• After a tip, ExpressVPN updates its Windows app to strengthen protections

• ExpressVPN Windows Client Flaw Could Expose User Information