ExpressVPN User Data Exposed Due to Bug

Share This Post

ExpressVPN last week disabled split tunneling on its Windows clients to prevent an issue where DNS requests were not properly directed to its servers.

The issue, introduced in May 2022 in version 12.23.1 of ExpressVPN, resulted in DNS requests remaining unprotected in certain conditions, the VPN solutions provider announced.

Normally, when a user is connected to ExpressVPN, their DNS requests are sent to the company’s servers. 

Due to the bug, the requests were sent to a third party, typically the internet services provider (ISP), unless otherwise configured, which could determine the domain visited by the user, but not individual pages and other behavior.

“All contents of the user’s traffic remain encrypted by the VPN and unviewable by the ISP or any other third party,” ExpressVPN explains.

The bug impacted versions 12.23.1 through 12.72.0 of ExpressVPN for Windows, if the split-tunneling feature was used and the ‘Only allow selected apps to use the VPN’ mode was enabled.

The split tunneling feature is meant to allow users to limit the applications that can send their traffic through the VPN solution.

According to ExpressVPN, the bug impacted less than 1% of its Windows users, given that the issue could not be reproduced without split tunneling activated or with split tunneling used in ‘Do not allow selected apps to use the VPN’ mode.

Advertisement. Scroll to continue reading.

“No other VPN protections, such as encryption, were affected,” ExpressVPN explains.

Version 12.73.0 of ExpressVPN for Windows was rolled out last week to disable split tunneling entirely, and users are advised to upgrade their installations as soon as possible. The feature will remain disabled until the underlying issue is identified and addressed.

Users in urgent need of split tunneling may downgrade to version 10 of ExpressVPN for Windows, in which the feature functions as intended.

Related: Ivanti Patches High-Severity Vulnerability in VPN Appliances

Related: Fortinet Patches Critical FortiGate SSL VPN Vulnerability

Related: Is Enterprise VPN on Life Support or Ripe for Reinvention?

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.