- ExpressVPN has published an update to correct an RDP leakage bug discovered by an independent researcher
- The leak in the Windows Expressvpn client was found in April, in code deployed in March, so his recent audit could not have spotted the bug
- ExpressVPN considers that “the probability of exploitation of the real world was extremely low”
The Windows ExpressVPN customer application has been updated to correct a vulnerability of leaks, discovered in April by an independent safety researcher.
In a detailed blog article dated July 18, 2025, ExpressVPN – considered one of the best VPNs – confirmed the RDP bug which could have disclosed the real IP addresses of users, despite the fact that “the probability of exploitation of the real world was extremely low”.
Nevertheless, a correction was issued in an update a few days later, which means that the bug should no longer exist and can no longer be exploited.
What is RDP leak?
RDP (remote desktop protocol) allows a remote connection from one device to another (generally PC to PC or PC to server). When an RDP connection is established with a virtual private network (VPN) activated, the wait is that the data cross the encrypted VPN tunnel.
When the data is not encrypted and bypass the tunnel, it is called leak. In addition to RDP, other encryption dodging leaks can occur with VPNs, such as DNS leaks.
With this bug, the RDP connection could have been observed by an ISP (Internet service provider) or anyone with access to the network. Not only was the target IP address not encrypted – allowing an observer to see that a connection to ExpressVPN was running – but it would have been clear that remote servers were accessible on RDP.
The attack, as demonstrated by the researcher Adam-X, would lead to the revelation of the real IP address of the user, but not their navigation activity.
The value of a VPN is that all data must be encrypted between the user’s device and the VPN server. If it is possible to manually exclude certain applications from the VPN connection, this has not happened here. Note, however, that it was a buckt in the Windows version of the Expressvpn Desktop customer, and did not affect other versions.
Could the ExpressVPN log audit have found the flight?
This news was announced shortly after ExpressVPN published the details of its latest KPGM log. The buckt should have been detected in the audit and the users should have been informed earlier?
ExpressVPN said: “The problem was assigned to a debugging code (initially intended for internal tests) which were wrongly transformed into production builds (versions 12.97 to 12.101.0.2-Beta).” They also confirm that Adam-X pointed out the bug on April 25.
ExpressVPN was audited in February 2025 and only to ensure that its TrustSerserver infrastructure never collects user newspapers as claims.
Meanwhile, according to the update benchmark for the version of Uptodown, the ExpressvPN production built 12.97 to 12.101.0.2-Beta was published between March and May.
In short, the KPMG audit of ExpressVPN servers could not have found the bug – even if it was tested – because it did not exist at the time.
How many users have been assigned?
Most users will generally not connect to a VPN before establishing a RDP session, so it is unlikely that this affects many users.
ExpressVPN is used mainly by individuals rather than by organizations, so that the attack surface of this vulnerability should be minimal. The exploitation of the bug also demanded an attacker to know it and find a way to direct the victim to a malicious website.
The VPN supplier said, however, that he introduces more checks to find problems like this before the publication of buildings and improving automated tests.
Expressvpn’s response to the Bogue report – only five days between the deposit by Adam -X and the first patch – is impressive. But why take so much time to share information publicly? Well, it’s a matter of security.
