ExpressVPN updated its Windows app to resolve a routing problem related to Remote Desktop traffic. The bug allowed certain RDP traffic to bypass the VPN tunnel, potentially exposing user activity to observers on the same network. The firm identified the cause as debug code inadvertently included in release builds. Following a report from security researcher Adam-X, ExpressVPN confirmed and triaged the issue quickly, implementing a fix within five days. The update also includes general improvements and bug fixes, and was confirmed resolved by the researcher shortly after release.
The issue related to the way certain Remote Desktop traffic was being routed, which applied only under specific conditions, specifically during RDP connection use.
If a user established a connection using Remote Desktop Protocol, that traffic could bypass the VPN tunnel, allowing visibility into their specific remote server access.
The problem was traced to a piece of debug code that unintentionally entered production builds, affecting versions 12.97 to 12.101.0.2-beta.
After being reported by security researcher Adam-X, the issue was confirmed and triaged within hours, leading to a fix released five days later.
Collection
[
|
...
]