You know what really stinks? When a product you paid for doesn’t work correctly. You know what’s even worse? When that product essentially betrays your trust. Sadly, a popular VPN service has done exactly that.
You see, ExpressVPN has patched its Windows app due to a serious issue. If you’re a user, this should raise some serious red flags. A bug in recent versions of the app caused certain network traffic to bypass the encrypted VPN tunnel. That means your real IP address may have been exposed without you even knowing it!
The problem was tied to Remote Desktop traffic and anything sent over TCP port 3389. Instead of being routed through ExpressVPN’s secure tunnel, that traffic went directly through your local internet connection. It stayed encrypted, but your real IP address and the servers you were accessing could have been visible to outside observers. That includes your internet service provider or anyone on the same Wi-Fi network.
Shockingly, this wasn’t discovered by ExpressVPN itself. A researcher named Adam-X reported the issue through the company’s bug bounty program. ExpressVPN confirmed the problem within hours and released a fix five days later in version 12.101.0.45.
The root cause was leftover debug code. It was meant for internal testing but somehow ended up in production builds. That should never happen in software focused on privacy. Debug tools and test settings belong in the lab, not in an app people use to protect themselves online.
ExpressVPN says the issue only affected specific scenarios, mostly involving Remote Desktop Protocol. That is something used more often in corporate settings than by everyday users. Still, the bug also applied to any kind of TCP traffic over port 3389. That opens the door to more creative attacks. A website could have been crafted to send data over that port and potentially reveal a user’s real IP address.
The company insists the risk of this being exploited in the wild was very low. There is no evidence anyone used it for malicious purposes. But that is cold comfort for people who rely on ExpressVPN to shield their identity and keep them anonymous.
This was not simply a one-off glitch. Actually, it was a breakdown in quality control. VPN users deserve better than debug code slipping into stable releases. Privacy tools are supposed to be airtight. When they are not, trust starts to erode.
ExpressVPN says it is tightening internal safeguards and improving automated testing. That sounds good, but users are left asking a simple question. Can this VPN still be trusted?
If you use ExpressVPN on Windows, update your app now. That part is easy. What is harder is deciding whether this company still deserves your confidence. A VPN should never leak your IP address. If it does, even under rare conditions, it calls the whole product into question.
