Connect with us

Hi, what are you looking for?



ExpressVPN User Data Exposed Due to Bug

ExpressVPN disables split tunneling on Windows after learning that DNS requests were not properly directed.

ExpressVPN last week disabled split tunneling on its Windows clients to prevent an issue where DNS requests were not properly directed to its servers.

The issue, introduced in May 2022 in version 12.23.1 of ExpressVPN, resulted in DNS requests remaining unprotected in certain conditions, the VPN solutions provider announced.

Normally, when a user is connected to ExpressVPN, their DNS requests are sent to the company’s servers. 

Due to the bug, the requests were sent to a third party, typically the internet services provider (ISP), unless otherwise configured, which could determine the domain visited by the user, but not individual pages and other behavior.

“All contents of the user’s traffic remain encrypted by the VPN and unviewable by the ISP or any other third party,” ExpressVPN explains.

The bug impacted versions 12.23.1 through 12.72.0 of ExpressVPN for Windows, if the split-tunneling feature was used and the ‘Only allow selected apps to use the VPN’ mode was enabled.

The split tunneling feature is meant to allow users to limit the applications that can send their traffic through the VPN solution.

According to ExpressVPN, the bug impacted less than 1% of its Windows users, given that the issue could not be reproduced without split tunneling activated or with split tunneling used in ‘Do not allow selected apps to use the VPN’ mode.

Advertisement. Scroll to continue reading.

“No other VPN protections, such as encryption, were affected,” ExpressVPN explains.

Version 12.73.0 of ExpressVPN for Windows was rolled out last week to disable split tunneling entirely, and users are advised to upgrade their installations as soon as possible. The feature will remain disabled until the underlying issue is identified and addressed.

Users in urgent need of split tunneling may downgrade to version 10 of ExpressVPN for Windows, in which the feature functions as intended.

Related: Ivanti Patches High-Severity Vulnerability in VPN Appliances

Related: Fortinet Patches Critical FortiGate SSL VPN Vulnerability

Related: Is Enterprise VPN on Life Support or Ripe for Reinvention?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.