ExpressVPN Fixes Windows App Bug Affecting RDP Traffic Routing

• ExpressVPN fixed a bug where RDP traffic bypassed the VPN tunnel via port 3389.
• The issue was caused by debug code mistakenly left in production builds.
• Update version 12.101.0.45 includes the fix; real-world risk was considered very low.

ExpressVPN has released a security update for its Windows app after a researcher reported a traffic routing issue involving Remote Desktop Protocol (RDP). The bug, which affected specific versions of the app, allowed some network traffic to bypass the VPN tunnel under certain conditions. While the issue was limited in scope and unlikely to impact most users, ExpressVPN responded quickly by issuing a fix and strengthening internal safeguards to prevent similar problems in the future.

The issue was first reported on April 25 by a security researcher known as Adam-X through ExpressVPN’s bug bounty program. The bug affected traffic using TCP port 3389, typically associated with RDP. In affected versions, between 12.97 and 12.101.0.2-beta, a piece of debug code intended only for internal testing had inadvertently been left in production builds. As a result, when RDP or other TCP traffic ran over port 3389, it was not properly routed through the VPN tunnel. Although encryption remained intact, the exposed traffic could reveal the user’s IP address and show that they were accessing specific remote servers via RDP. This kind of metadata is normally hidden by a VPN.

ExpressVPN confirmed the issue shortly after receiving the report and released a fix five days later in version 12.101.0.45. The update has been distributed through all official channels, and the researcher verified the patch soon after its release. The case was formally closed at the end of June.

The company emphasized that the risk to users was minimal. RDP is generally used in enterprise environments, and most ExpressVPN users are individual consumers who do not rely on that protocol. For the issue to be exploited, an attacker would need to be aware of the bug and somehow trigger traffic over port 3389, such as through a malicious website or compromised web service. Even in such rare scenarios, only the user’s real IP address could have been exposed, not their browsing history or the contents of encrypted sessions.

To help ensure this type of issue doesn’t happen again, ExpressVPN is improving its internal development process. This includes enhanced automated testing to detect and remove test code before software reaches end users. The goal is to reduce the risk of human error and further improve user privacy and security.

ExpressVPN has expressed appreciation to its community of users, beta testers, and researchers for helping to improve its products. The company encourages others to participate in its bug bounty and beta testing programs to help identify and fix potential vulnerabilities early. Users are advised to update to the latest version of the Windows app to ensure full protection.