- ExpressvPN issued an update to patch a RDP filtration error discovered by an independent researcher
- Windows ExpressvPN customer filtration was found in April, in the code implemented in March, so its recent audit could not have seen the error
- Expressvpn considers that “the probability of real world exploitation was extremely low”
The application of the Expressvpn Windows client has been updated to patch a vulnerability of leaks, discovered in April by an independent security researcher.
In a detailed blog post on July 18, 2025, Expressvpn, considered one of the best VPN, confirmed the RDP error that could have filtered the real IP addresses of users, despite stating that “the probability of exploitation of the real world was extremely low.”
However, a solution was issued in an update a few days later, which means that the error should no longer exist, and now it cannot be exploited.
What is a RDP leak?
RDP (remote desktop protocol) allows a remote connection from one device to another (usually PC to PC or server PC). When an RDP connection with a virtual private network (VPN) is established, the expectation is that the data travels through the VPN encrypted tunnel.
When the data is not encrypted and omit the tunnel, it is known as a leak. In addition to RDP, other encryption description leaks with VPN, such as DNS leaks, may occur.
With this error, the RDP connection could have been observed by an ISP (Internet service provider) or any person with access to the network. The destination IP address was not only encrypted, allowing an observer to see that a connection with ExpressvPN was running, but would have been clear that remote servers were accessed through RDP.
The attack, as evidenced by the Adam-X researcher, would result in the user’s real IP address, but not its navigation activity.
The value of a VPN is that all data must be encrypted between the user’s device and the VPN server. While it is possible to manually exclude some applications from the VPN connection, that did not happen here. Keep in mind, however, that this was a mistake in the Windows version of the ExpressvPN desktop customer, and did not affect other versions.
Should the audit without Expressvpn registration have found the escape?
This news was announced shortly after ExpressvPN published the details of its last successful audit and not KPGM log. Should the audit error have been detected and if users have been informed before?
ExpressvPN has stated: “The problem goes back to a piece of purification code (originally intended for internal tests) that made it an error in production compilations (versions 12.97 to 12,101.0.2-beet).” They also confirm that ADAM-X reported the error on April 25.
ExpressvPN was audited in February 2025, and only to ensure that its trust server infrastructure never collects user records as stated.
Meanwhile, according to the Uptodown version updates repository, Expressvpn production builds 12.97 to 12,101.0.2-beta issued between March and May.
In summary, the KPMG audit of ExpressvPN servers could not have found the error, even if it was tested, since this did not exist at that time.
How many users were affected?
Most users generally do not connect to a VPN before establishing an RDP session, so it is unlikely that this has affected many users.
Expressvpn is mainly used by individuals, instead of organizations, so the attack surface of this vulnerability should be minimal. Exploiting the error also required that an attacker knew it and find a way to direct the victim to a malicious website.
However, the VPN supplier has declared that it is introducing more checks to find problems such as this before compilations and improving automated tests are published.
Expressvpn’s response to the error report, only five days between the presentation of ADAM-X and the first patch, is impressive. But why does it take so long to share information publicly? Well, it’s a security issue.
