ExpressVPN has informed its customers that a vulnerability in the latest version of its Windows app has exposed the DNS requests of a small subset of users to their internet service providers.
When the split tunneling feature was activated in version 12 of the ExpressVPN app for Windows, some DNS requests bypassed the VPN’s encrypted tunnel and were sent to third-party DNS servers, in this case, the users’ ISPs. Affected users inadvertently exposed their browsing history to their ISPs without realizing it and were also susceptible to man-in-the-middle attacks for an extended period.
The issue was discovered and reported to the VPN vendor by CNET’s writer Attila Tomaschek and impacts all versions released between 12.23.1 and 12.72.0. This means that the DNS leak problem persisted between May 19, 2022, and February 7, 2024, but it was unfortunately missed by all audits looking into the security and integrity of the Windows client.
Split tunneling is a feature that allows users to select which apps send traffic through the VPN and which connect directly to the internet. This feature is useful for accessing local network devices or optimizing performance for specific applications. However, DNS requests are never meant to be routed outside the product’s encrypted tunnels, so this was an oversight that might have undermined the privacy of ExpressVPN users.
The VPN provider reports that the issue affected a minimal portion of its clientele. Only approximately 1% of its Windows users utilize the split tunneling feature, thus limiting the impact to a small subset of its customer base. Despite the limited scope of the issue, the functionality has been temporarily disabled in the most recent app version, 12.73.0. This precautionary measure will remain in effect until ExpressVPN’s engineering team thoroughly investigates and resolves the matter.
Until then, users who need to continue using split tunneling may do so safely by downgrading to version 10, which isn’t impacted by the vulnerability. You can download this older client version from here. After activating split tunneling, validate that your DNS requests aren’t exposed to your ISP using DNS leak test tools.
Despite this lapse, ExpressVPN remains a top-rated product in the VPN market. It offers extensive platform support, a verified no-logs policy, satisfactory customer service, competitive performance, a rich selection of servers, and support for most streaming services. Check out our detailed review of ExpressVPN.
- CyberGhost VPN for Windows Vulnerable to Command Injection
- VPN Tests – How to Check if Your VPN is Working in 2024
- CyberGhost VPN Client Vulnerable to Man-in-the-Middle Attacks
- Kape Technologies (Formerly Crossrider) Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites