ExpressVPN, a prominent player in the virtual private network (VPN) market, has announced the resolution of a security flaw that exposed users’ real IP addresses during Remote Desktop Protocol (RDP) sessions. The vulnerability, reported by security researcher ‘Adam-X’ through the company’s bug bounty program, allowed RDP traffic to circumvent the VPN tunnel, a critical feature meant to protect online anonymity.
The technical failure was found to be a consequence of debug code unintentionally included in specific versions of ExpressVPN’s software, ranging from 12.97 to 12.101.0.2-beta. Despite the leak, ExpressVPN emphasized that encryption levels remained intact, mitigating risks associated with unauthorized data exposure during the use of RDP.
Following the investigation, a patch was released on June 18, 2025, updating the software to version 12.101.0.45, which fixes the issue. Users are urged to install this update to enhance their privacy and security while using Remote Desktop Protocol.
ExpressVPN has stated that the number of affected users is likely low, primarily because RDP is predominantly utilized by IT professionals and enterprises, rather than typical home users. The company has committed to improving its internal testing protocols to prevent similar vulnerabilities in the future.
For further details on the security advisory, visitors can refer to the company’s official announcement here.
This incident comes on the heels of a prior vulnerability that caused DNS request leaks when users activated the ‘split tunneling’ feature in earlier versions of the Windows client, showcasing the ongoing challenges VPN services face in ensuring user security.