A reviewer recently discovered a flaw in ExpressVPN's Windows app that allowed some DNS requests to bypass its servers, potentially exposing domains visited to users' internet service providers. The issue only occurred when "Only allow selected apps to use the VPN" split tunneling was enabled in Versions 12.23.1-12.72.0, released between May 2022 and February 2024.
Split tunneling routes only select app traffic through the VPN tunnel. The bug enabled some DNS requests that should have been protected to instead leak out to third-party DNS servers, usually a user's ISP. While the ISP could see domain information like "google.com," contents remained encrypted, and actual browsing behavior was still hidden.
Interested in getting a new Windows 11 PC or upgrading your existing one? Get in touch with us: https://pcx.com.ph/pages/contact-us |
ExpressVPN quickly disabled split tunneling in Version 12 of its Windows app to contain the problem. The company estimates less than 1% of its user base was impacted across a single platform. An update has been pushed to automatically disable split tunneling if it was previously turned on.
Engineers are still investigating the root cause of the DNS leak. In the meantime, split tunneling remains available and functioning normally through the Version 10 Windows app. Users can downgrade to regain access to the feature if needed urgently.
ExpressVPN expects to restore split tunneling once testing confirms the issue has been fully resolved. Windows users should install the latest app update if they have not received it already. All other platforms remain unaffected by the vulnerability.
Interested in getting a new Windows 11 PC or upgrading your existing one?
Chat with a Personal Shopper:
- Viber Community Marketplace Sales Chat (8 AM to 10 PM | Mon to Sun):
- FB Chat (8 AM to 10 PM | Mon to Sun):