- ExpressVPN issued an update to patch an RDP leak bug discovered by an independent researcher
- The leak in the Windows ExpressVPN client was found in April, in code rolled out in March, so its recent audit could not have spotted the bug
- ExpressVPN considers that “the likelihood of real-world exploitation was extremely low”
The ExpressVPN Windows client app has been updated to patch a leak vulnerability, discovered in April by an independent security researcher.
In a detailed blog post dated July 18, 2025, ExpressVPN – considered one of the best VPNs – confirmed the RDP bug that could have leaked users’ real IP addresses, despite stating that “the likelihood of real-world exploitation was extremely low.”
Nonetheless, a fix was issued in an update a few days later, meaning the bug should no longer exist, and cannot now be exploited.
What is an RDP leak?
RDP (Remote Desktop Protocol) allows a remote connection from one device to another (typically PC to PC, or PC to server). When an RDP connection is established with a virtual private network (VPN) enabled, the expectation is that the data travels through the encrypted VPN tunnel.
When the data is not encrypted and bypasses the tunnel, it is referred to as a leak. Besides RDP, other encryption-dodging leaks can occur with VPNs, such as DNS leaks.
With this bug, the RDP connection could have been observed by an ISP (Internet service provider), or anyone with network access. Not only was the target IP address not encrypted – enabling an observer to see that a connection to ExpressVPN was running – but it would have been clear that remote servers were being accessed over RDP.
The attack, as demonstrated by researcher Adam-X, would result in the user’s actual IP address being revealed, but not their browsing activity.
The value of a VPN is that all data should be encrypted between the user’s device and the VPN server. While it is possible to manually exclude some apps from the VPN connection, that didn’t happen here. Note, however, that this was a bug in the Windows version of the ExpressVPN desktop client, and did not affect other versions.
Should ExpressVPN’s no-log audit have found the leak?
This news was announced soon after ExpressVPN published the details of its latest successful no-log audit by KPGM. Should the bug have been detected in the audit, and should users have been informed sooner?
ExpressVPN has stated: “The problem was traced to a piece of debug code (originally intended for internal testing) that mistakenly made it into production builds (versions 12.97 to 12.101.0.2-beta).” They also confirm that Adam-X reported the bug on April 25.
ExpressVPN was audited in February 2025, and solely to ensure that its TrustedServer infrastructure never collects users’ logs as claimed.
Meanwhile, according to Uptodown’s repository of version updates, ExpressVPN production builds 12.97 to 12.101.0.2-beta were issued between March and May.
In short, KPMG’s audit of ExpressVPN’s servers could not have found the bug – even if it was tested for – as this did not exist at the time.
How many users were affected?
Most users typically won’t connect to a VPN before establishing an RDP session, so it is unlikely that this affected many users.
ExpressVPN is used mostly by individuals, rather than organizations, so the attack surface of this vulnerability should be minimal. Exploiting the bug also required an attacker to know about it, and to find a way to direct the victim to a malicious website.
The VPN provider has, however, stated that it is introducing more checks to find issues like this before builds are released, and improving automated testing.
ExpressVPN’s response to the bug report – just five days between filing by Adam-X and the first patch – is impressive. But why take so long to share the information publicly? Well, it’s a security matter.