In an era when privacy and security are more critical than ever, even leading VPN providers are not immune to software flaws. ExpressVPN recently disclosed and patched a vulnerability in its Windows client that allowed certain traffic to bypass its encrypted tunnel, potentially exposing user IP addresses. While the company describes the risk as low, the incident serves as a potent reminder that no VPN product is entirely risk-free. For anyone who uses a VPN to safeguard privacy and anonymity, this kind of leak points to the need for vigilance. The bug in the ExpressVPN Windows app highlights that VPN vulnerability is real — and users must ensure their apps are up to date and correctly configured.
What happened: the bug explained
According to ExpressVPN’s official blog post, the issue impacted versions 12.97 through 12.101.0.2-beta of the Windows client, which included debug code inadvertently shipped in production builds. The oversight allowed traffic over TCP port 3389, the standard port used by Microsoft’s Remote Desktop Protocol (RDP), to bypass the VPN tunnel entirely. In effect: although the VPN tunnel remained encrypted, some RDP traffic did not route through it — meaning someone monitoring the network (for example an ISP or co-network user) could observe the user’s real IP and the remote server they connected to.
ExpressVPN says that the bug was discovered on April 25, 2025, by a security researcher “Adam-X”, who reported the issue via the company’s bug-bounty program. Within five days, the company released version 12.101.0.45 (July 18, 2025) to address the vulnerability.
The company emphasised that:
Encryption of the VPN tunnel itself was not compromised.
The flaw mainly affected users who used RDP or traffic over port 3389 — a scenario more common in enterprise settings than among typical consumer VPN users.
The likelihood of widespread real-world exploitation was described as “extremely low”.
Nevertheless, ExpressVPN took full responsibility, apologized to users, and said it was improving its QA and build process to ensure debug code cannot slip into production again.
Why it matters for VPN users
Breaking a core promise: A primary function of any VPN is to mask the user’s real IP and route traffic through an encrypted tunnel. When traffic bypasses that tunnel, the fundamental protection is undermined.
Scope of exposure: Although the flaw was relatively narrow (RDP/port 3389), it could apply to any TCP traffic over that port — and may be exploited in creative ways (drive-by attacks, malicious website triggers).
Trust & brand implications: ExpressVPN is one of the leading VPN services — with a large user base and strong reputation for privacy. A bug of this nature raises the question: if major vendors can slip up, how confident can users be in any VPN product?
Reminder to update: This is a practical reminder that VPN clients must be kept up to date. Users running older versions may be unknowingly exposed to leaks or routing issues.
Consumer vs enterprise settings: While the company says typical consumers are unlikely to be affected (since RDP usage is more enterprise-oriented), many advanced users or remote workers do use RDP, and may not realise their VPN traffic is not fully tunnelling.
Comparisons & context
This isn’t the first time ExpressVPN has faced routing or leak issues. In early 2024, the company had to disable its split-tunneling feature on Windows after discovering a DNS request leak.
Other VPN providers have similarly been found to leak DNS requests, WebRTC IPs, or fail to route traffic fully. Users who compare VPNs often check for independent audits, leak-tests, and built-in kill switches to guard against these scenarios.
In terms of magnitude, because the bug here required specific conditions (RDP, port 3389, Windows client), the exposure was much narrower than, say, a full device-wide leak — which makes it lower risk but still significant for affected users.
What users should do now
Update the client: Windows users of ExpressVPN should ensure they are running version 12.101.0.45 or newer. If the app doesn’t auto-update, manually trigger the update or reinstall.
Check usage: If you use RDP, virtual machines, remote work tools, or other TCP traffic over port 3389 while connected to a VPN, verify logs or traffic routing to ensure it is being funnelled through the VPN tunnel.
Use kill switch: If the VPN offers a “Network Lock” or kill-switch feature, enable it. This ensures if the tunnel fails, Internet traffic is blocked rather than leaking.
Run leak tests: Use tools to test your VPN for IP, DNS, WebRTC or port-based leaks. Many independent websites and software check for these issues.
Be mindful of features: When advanced features like split-tunneling are enabled, they introduce complexity and sometimes higher risk of mis-routing — toggle only if you understand the implications.
Learn more than Firefox VPN arrives as free browser-based VPN beta
Conclusion
While the ExpressVPN bug may have posed only a narrow risk (RDP/port 3389 on Windows), the incident is a wake-up call for all VPN users. The promise of a VPN is privacy, anonymity, and safe routing — and when any of those are compromised, trust is eroded. By acknowledging the flaw, patching quickly, and emphasising updates, ExpressVPN has shown responsible handling. But the broader takeaway is clear: users must treat VPN apps like any critical security tool—not “set and forget.” Keep software updated, understand your configuration, and routinely test for leaks. Doing so will ensure your VPN remains the protective wall you expect it to be.
