ExpressVPN Fixes RDP Leak: Real IP Addresses Exposed Due to Debugging Code Oversight

ExpressVPN has resolved a vulnerability in its Windows client that allowed Remote Desktop Protocol (RDP) connections to bypass the VPN tunnel, thereby exposing users’ real IP addresses. The issue affected versions 12.97 through 12.101.0.2-beta and stemmed from inadvertently left debugging code, originally intended for internal testing. The flaw was discovered on April 25, 2025, by a security researcher operating under the alias Adam-X, via the platform’s bug bounty program.

The crux of the issue lay in the fact that, when connecting via RDP, traffic was routed outside the encrypted VPN tunnel—contrary to expected VPN behavior—enabling external observers, such as ISPs or others on the local network, to detect not only the connection to ExpressVPN but also the exact IP addresses of remote servers being accessed.

Although data remained encrypted, the mere bypassing of the VPN tunnel constitutes a critical failure—especially for a company that markets itself as a global leader in privacy and cybersecurity. ExpressVPN stated that the vulnerability was limited in scope and primarily affected users who actively employ RDP, a protocol commonly used in enterprise environments and by IT administrators, but rarely by the average consumer.

A fix was issued on June 18, 2025, with the release of version 12.101.0.45. The company urged all Windows users to update their clients immediately. It also pledged to strengthen its internal build verification processes, including more rigorous automated testing, to prevent similar oversights in the future.

This is not the first technical lapse for ExpressVPN in recent times. In 2024, a DNS request leak was identified when using the split tunneling feature. At the time, the function was temporarily disabled until a patch was deployed.