ExpressVPN has released a new patch for its Windows app to close a vulnerability that can leave remote desktop traffic unprotected. If you use ExpressVPN on Windows, download version 12.101.0.45 as soon as possible, especially if you use Remote Desktop Protocol (RDP) or any other traffic through TCP port 3389.
ExpressVPN announced both the vulnerability and the fix in a blog post earlier this week. According to that post, an independent researcher going by Adam-X sent in a tip on April 25 to claim a reward from ExpressVPN's bug bounty program. Adam-X noticed that some internal debug code which left traffic on TCP port 3389 unprotected had mistakenly shipped to customers. ExpressVPN released the patch about five days later in version 12.101.0.45 for Windows.
As ExpressVPN points out in its announcement of the patch, it's unlikely that the vulnerability was actually exploited. Any hypothetical hacker would not only have to be aware of the flaw, but would then have to trick their target into sending a web request over RDP or other traffic that uses port 3389. Even if all the dominos fell, the hacker could only see their target's real IP address, not any of the actual data they transmitted.
Even if the danger was small, it's nice to see ExpressVPN responding proactively to flaws in its product — bug bounties are great, but a security product should protect its users with as many safeguards as possible. In addition to closing this vulnerability, they're also adding automated tests that check for debug code accidentally left in production builds. This, plus a successful independent privacy audit earlier in 2025, gives the strong impression of a provider that's on top of things.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/vpn/expressvpn-patches-windows-bug-that-exposed-remote-desktop-traffic-171507501.html?src=rss
