CVE-2024-25728: ExpressVPN Bug Exposed User Browsing History

A recently discovered security bug in ExpressVPN’s Windows software, tracked as CVE-2024-25728, has forced the popular VPN provider to temporarily disable its ‘split tunneling‘ feature. This serious flaw could have exposed sensitive user information, including visited websites, even while connected to the VPN.

The Vulnerability: What Went Wrong

ExpressVPN’s split tunneling feature is designed to give users granular control over which apps and traffic use the secure VPN connection. Unfortunately, a coding error in this feature meant that while split tunneling was activated, DNS requests (requests that translate website names into IP addresses) could bypass ExpressVPN’s secure servers. This potentially revealed users’ browsing activity to their internet service providers (ISPs).

Who Was Affected?

This flaw specifically affected Windows users running ExpressVPN versions 12.23.1 to 12.72.0. If you use ExpressVPN on other platforms (like Mac, iOS, or Android) or an older version on Windows, you are not impacted.

“Although the issue is believed to involve less than 1% of users on a single app platform, Version 12 for Windows, ExpressVPN rolled out an update that disabled split tunneling on that platform entirely, to minimize the potential ongoing risk to customers. The feature will remain deactivated while engineers investigate and fix the problem,” the company explained.

The Consequences: Leaky Data

It’s important to note that even with CVE-2024-25728, the contents of your web traffic remain encrypted. Your ISP or other snoopers couldn’t see the specific pages you visited or what you did online. However, seeing the domain names you visited (like google.com, facebook.com, etc.) could still reveal sensitive information about your browsing habits.

ExpressVPN’s Response: Swift and Decisive

Acknowledging the severity of the issue, ExpressVPN acted quickly. They immediately disabled the split tunneling feature across all affected Windows versions as a precaution. While engineers work on a fix, users wanting the convenience of split tunneling will need to wait.

What You Need to Do

1. Update Urgently! If you are a Windows ExpressVPN user on an affected version, update to the latest version of their software immediately. Automatic updates may have already been applied, but it’s worth double-checking.

2. Reassess Your Need: Until the split tunneling issue is resolved, carefully consider whether the feature is essential for your browsing needs.