Updates have been released by major VPN service provider ExpressVPN to resolve a vulnerability impacting its Windows client that resulted in the exposure of its users' IP addresses, according to BleepingComputer.
The security issue, which was identified and reported by cybersecurity researcher "Adam-X" in late April, stemmed from the wrongful retention of debug code in production builds that enabled Remote Desktop Protocol traffic evasion of the VPN tunnels, said ExpressVPN, which urged its users to immediately implement version 12.101.0.45 of its Windows client. "...[T]his issue would most commonly have affected users actively using RDPa protocol that's generally not used by typical consumers. Given that ExpressVPN's user base is made up predominantly of individual users rather than enterprise customers, the number of affected users is likely small," the VPN provider added. Such a development comes more than a year after ExpressVPN reported a flaw that exposed users' DNS requests when its Windows client's 'slipt tunneling' capability is activated.
The security issue, which was identified and reported by cybersecurity researcher "Adam-X" in late April, stemmed from the wrongful retention of debug code in production builds that enabled Remote Desktop Protocol traffic evasion of the VPN tunnels, said ExpressVPN, which urged its users to immediately implement version 12.101.0.45 of its Windows client. "...[T]his issue would most commonly have affected users actively using RDPa protocol that's generally not used by typical consumers. Given that ExpressVPN's user base is made up predominantly of individual users rather than enterprise customers, the number of affected users is likely small," the VPN provider added. Such a development comes more than a year after ExpressVPN reported a flaw that exposed users' DNS requests when its Windows client's 'slipt tunneling' capability is activated.
