Popular virtual private network (VPN) provider ExpressVPN has uncovered and promptly addressed a troubling vulnerability in recent versions of its Windows software that allowed internet service providers (ISPs) and other third parties to view some user DNS requests, potentially exposing browsing habits and destroying privacy promises.
The significant bug was introduced in ExpressVPN Windows versions 12.23.1 through 12.72.0, spanning releases from May 19th, 2022 through February 7th, 2024. It allowed DNS leakages for those using the “split tunneling” feature, which intelligently routes some traffic through the encrypted VPN tunnel while other traffic routes outside the tunnel.
While contents of user traffic remained protected, DNS requests that should have been hidden were exposed. DNS requests reveal the domains users visit, providing insightful browsing history to snoopers.
By design, ExpressVPN directs all DNS traffic through its own DNS servers to prevent observation by ISPs, governments, hackers, and others. This bug defeated these privacy protections for affected Windows users with split tunneling enabled.
The vulnerability was discovered and responsibly reported by security researcher Attila Tomaschek of CNET. Tomaschek uncovered that with split tunneling active, some DNS requests were leaking to external DNS servers instead of being securely routed through ExpressVPN’s private infrastructure.
Most commonly, requests were exposed to a user’s own ISP’s DNS server. While this did not reveal specific pages visited or account details, it did expose the sites and services a user connected to.
ExpressVPN releases patch, disables split tunneling
In response, ExpressVPN rapidly patched the affected application versions and disabled split tunneling functionality while they solved the underlying problem.
They noted that only about 1% of Windows users actively leveraged split tunneling and were impacted by the bug. For those affected, visited domains could have been observed by ISPs for over 2 years until the discovery of the flaw.
The company recommends that affected users upgrade to the latest ExpressVPN Windows version 12.73.0, which removes but will later re-add split tunneling once the bugs are resolved. For anyone requiring split tunneling immediately, they advise downgrading to the older version 10 release.
This situation highlights the importance of vulnerability discovery and responsible disclosure for fixing bugs before malicious actors become aware and abuse them. It also illustrates the difficulty of assembling secure, reliable virtual private networking tools.
ExpressVPN’s actions demonstrate their commitment to transparency, integrity, and protecting their users. While a small percentage were impacted for a short period, they deserve credit for their response and dedication to doing better going forward. The intent is not to punish providers when bugs occur but to ensure accountability to do better.
ExpressVPN is a secure channel that creates a tunnel between your device and the internet. It ensures the protection of your data from snooping and censorship. With best-in-class encryption, 24/7 live chat support, and TrustedServer technology, it guarantees maximum security. You can connect to servers in 105 countries and use up to 14 devices at the same time. With lightning-fast speeds, ExpressVPN is the ultimate solution for your online privacy needs.
Discover more from GadgetBond
Subscribe to get the latest posts sent to your email.
![Minimal graphic with the text “OpenAI DevDay [2026]” centered on a light background, with a small green abstract icon of arrows and a circle in the lower right corner.](https://i0.wp.com/gadgetbond.com/wp-content/uploads/2026/04/OpenAI-DevDay-2026_SEO_16_9.png?resize=330%2C220&ssl=1)