Full Report
ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users' real IP addresses. [...]
Analysis Summary
# Vulnerability: ExpressVPN Bug Potentially Leaked User IPs During RDP Sessions
## CVE Details
- CVE ID: Not specified in the provided text.
- CVSS Score: Not specified in the provided text.
- CWE: Not specified in the provided text.
## Affected Systems
- Products: ExpressVPN Windows Client
- Versions: Versions prior to 12.101.0.45
- Configurations: Users actively using Remote Desktop Protocol (RDP) while connected to the VPN tunnel. The vendor notes this is more common in enterprise/IT administrative contexts than typical consumer use.
## Vulnerability Description
A bug existed within the ExpressVPN Windows client when used in conjunction with Microsoft's Remote Desktop Protocol (RDP). This flaw could potentially cause the user's actual IP address to be revealed during RDP sessions, bypassing the privacy protections intended by the VPN connection.
## Exploitation
- Status: Not explicitly stated, but described as a functional bug requiring specific conditions (active RDP session).
- Complexity: Likely Medium, as it requires the specific use of RDP.
- Attack Vector: Network (as RDP operates over a network connection).
## Impact
- Confidentiality: Potential leak of real user IP address, compromising geographical location and potentially real identity.
- Integrity: Low (Primary impact is leakage, not modification).
- Availability: Negligible (Primary impact is leakage, not service disruption).
## Remediation
### Patches
- ExpressVPN Windows Client version 12.101.0.45 or newer.
### Workarounds
- None explicitly provided other than immediate patching/upgrading. (Implied workaround: Avoid using RDP while connected to ExpressVPN until patched.)
## Detection
- Detection methods are not specified, but monitoring network traffic during RDP sessions for unexpected external IP resolution could be relevant.
- Indicators of compromise (IOCs) are not detailed, as this is a VPN client logic flaw rather than malware execution.
## References
- Vendor Advisory (referenced article source): bbleepingcomputer.com/news/security/expressvpn-bug-leaked-user-ips-in-remote-desktop-sessions/