Vulnerability Description
ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Expressvpn | Expressvpn | >= 12.23.1, < 12.73.0 |
Related Weaknesses (CWE)
References
- https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-sThird Party Advisory
- https://www.expressvpn.com/blog/windows-app-dns-requests/Vendor Advisory
- https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-sThird Party Advisory
- https://www.expressvpn.com/blog/windows-app-dns-requests/Vendor Advisory
FAQ
What is CVE-2024-25728?
CVE-2024-25728 is a vulnerability with a CVSS score of 7.5 (HIGH). ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to ...
How severe is CVE-2024-25728?
CVE-2024-25728 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-25728?
Check the references section above for vendor advisories and patch information. Affected products include: Expressvpn Expressvpn.