- ExpressVPN issued an update to patch an RDP leakage error discovered by an independent researcher
- The leak in the Windows ExpressVPN client was found in April, in code rolled out in March so its recent revision could not have seen the error
- ExpressVPN believes that “the probability of exploiting the real world was extremely low”
ExpressVPN Windows Client app has been updated to patch a leakage vulnerability discovered in April by an independent security researcher.
In a detailed blog post dated July 18, 2025, ExpressVPN confirmed one of the best VPNs-RDP errors that could have leaked users’ real IP addresses, despite saying that “the probability of exploiting the real world was extremely low.”
Nevertheless, a solution was issued in an update a few days later, which means that the error should no longer exist and cannot now be exploited.
What is an RDP leak?
RDP (Remote Desktop Protocol) allows a remote connection from one device to another (typically PC for PC or PC for server). When an RDP connection is established with a virtual private network (VPN) activated, the data is expected to move through the encrypted VPN tunnel.
When the data is not encrypted and bypass the tunnel, they are called as a leak. In addition to RDP, other encryption leaks may occur with VPNs, such as DNS leaks.
With this error, the RDP connection could have been observed by an ISP (ISP) or anyone with network access. Not only was goals -IP address not encrypted – which allowed an observer to see that a connection to ExpressVPN was running – but it would have been clear that remote servers had access to over RDP.
The attack, as demonstrated by researcher Adam-X, would result in the user’s actual IP address being revealed but not their browser activity.
The value of a VPN is that all data must be encrypted between the user’s device and the VPN server. Although it is possible to manually exclude some apps from the VPN connection, it did not happen here. Note, however, that this was an error in the Windows version of the ExpressVPN -Desktop client and not affected other versions.
Should Expressvpns Revision Without Log Having Found the Leakage?
This news was announced shortly after ExpressVPN published the details of its latest successful no-log audit by KPGM. Should the error have been discovered in the audit and should users have been informed before?
ExpressVPN has stated: “The problem was traced to a piece of troubleshooting code (originally intended for internal testing) that mistakenly made it into production buildings (versions 12.97 to 12.101.0.2-BETA).” They also confirm that Adam-X reported the error on April 25.
ExpressVPN was revised in February 2025, and solely to ensure that its TrustedServer infrastructure never collects users’ logs as it claims.
Meanwhile, according to Uptodown’s storage of version updates, ExpressVPN production was issued 12.97 to 12.101.0.2-Beta between March and May.
In short, KPMG’s revision of Expressvpns servers could not have found the error – even if it was tested for – as this did not exist at that time.
How many users were affected?
Most users typically do not connect to a VPN until they establish an RDP session, so this is unlikely to affect many users.
ExpressVPN is mostly used by individuals rather than organizations, so the attack surface of this vulnerability must be minimal. Exploion of the error also required an attacker to know about it and to find a way to direct the victim to a malicious website.
However, the VPN provider has stated that it introduces multiple controls to find problems like this before buildings are released and improves automated testing.
ExpressVPN’s response to the error report-only five days between archiving Adam-X and the first patch-is impressive. But why take so long to share the information in public? It’s a security question.
