ExpressVPN has taken a significant step in enhancing the security of its Windows application by releasing a critical patch aimed at addressing a vulnerability that could potentially expose remote desktop traffic. Users of ExpressVPN on Windows are urged to promptly download version 12.101.0.45, particularly those utilizing Remote Desktop Protocol (RDP) or any traffic routed through TCP port 3389.
Details of the Vulnerability and the Response
In a recent blog post, ExpressVPN detailed both the vulnerability and the subsequent fix. The alert originated from an independent researcher known as Adam-X, who submitted a report on April 25 as part of ExpressVPN’s bug bounty program. Adam-X discovered that certain internal debug code, which inadvertently left traffic on TCP port 3389 exposed, had been included in the version released to customers.
ExpressVPN acted swiftly, rolling out the patch just five days later with the release of version 12.101.0.45 for Windows users. The company emphasized that while the vulnerability existed, it was unlikely to have been exploited. A potential attacker would not only need to be aware of the flaw but would also have to deceive their target into sending a web request over RDP or similar traffic using port 3389. Even in such a scenario, the hacker would only gain access to the target’s real IP address, without any visibility into the actual data being transmitted.
Proactive Measures and Future Safeguards
Despite the low risk associated with this vulnerability, ExpressVPN’s proactive approach to addressing product flaws is commendable. The implementation of bug bounty programs is a positive step, but a security-focused product should prioritize user protection through comprehensive safeguards. In addition to rectifying this specific vulnerability, ExpressVPN is also introducing automated tests designed to identify any debug code that may inadvertently remain in production builds.
This commitment to security is further underscored by a successful independent privacy audit conducted earlier in 2025, reinforcing the impression of a provider that is vigilant and responsive to the needs of its users.
If you purchase something through a link in this article, we may earn a commission.
