PT-2024-2361 · Expressvpn · Expressvpn
Attila Tomaschek
·
Published
2024-02-11
·
Updated
2024-10-30
·
CVE-2024-25728
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
ExpressVPN versions prior to 12.73.0 on Windows
Description
The issue is related to the split tunneling feature in ExpressVPN, which sends DNS requests according to the Windows configuration instead of using the ExpressVPN DNS servers. This may allow remote attackers to obtain sensitive information about websites visited by VPN users.
Recommendations
For ExpressVPN versions prior to 12.73.0 on Windows, update to version 12.73.0 or later to resolve the issue.
As a temporary workaround, consider disabling the split tunneling feature until a patch is available.
Fix
Information Disclosure
Insecure Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Expressvpn