CVE-2024-25728 is a vulnerability identified in ExpressVPN versions before 12.73.0 on Windows platforms that use split tunneling functionality. Split tunneling allows users to route some traffic through the VPN while other traffic accesses the internet directly. In this case, when split tunneling is enabled, DNS requests do not consistently use ExpressVPN's secure DNS servers but instead follow the Windows system DNS configuration. This misconfiguration results in DNS queries being sent to DNS servers operated by the user's ISP or other third parties, rather than being securely tunneled through the VPN. The leakage of DNS requests can reveal sensitive information about the websites visited by the user, compromising privacy and potentially exposing browsing habits to remote attackers who can monitor or intercept DNS traffic. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing the risk profile. It is categorized under CWE-922 (Improper Restriction of Operations within the Bounds of a Memory Buffer) indicating a logic flaw in handling DNS routing within the VPN client. The CVSS v3.1 base score is 7.5, with an attack vector of network, low attack complexity, no privileges required, and no user interaction needed. This vulnerability primarily impacts confidentiality, with no direct impact on integrity or availability. No public exploits have been reported yet, but the potential for privacy breaches is significant, especially for users relying on ExpressVPN for anonymity and secure communications.

The primary impact of CVE-2024-25728 is the compromise of user privacy through DNS leakage. Organizations and individuals using ExpressVPN with split tunneling enabled may have their DNS queries exposed to ISPs or malicious actors capable of intercepting DNS traffic. This exposure can reveal sensitive information about visited websites and user behavior, undermining the confidentiality guarantees expected from VPN usage. For businesses, this could lead to leakage of confidential browsing data, potentially exposing corporate research, client information, or internal resources accessed via VPN. Privacy-focused users, journalists, activists, and others relying on VPNs for anonymity are particularly at risk. Although the vulnerability does not affect data integrity or system availability, the breach of confidentiality can have serious reputational and operational consequences. The ease of exploitation and lack of required privileges increase the likelihood of exploitation once the vulnerability is widely known. The absence of known exploits in the wild currently limits immediate risk, but proactive mitigation is critical to prevent future abuse.

To mitigate CVE-2024-25728, users and organizations should immediately update ExpressVPN clients on Windows to version 12.73.0 or later, where the issue is resolved. Administrators should audit VPN configurations to verify that split tunneling is used cautiously and that DNS requests are properly routed through the VPN DNS servers rather than the system DNS. If split tunneling is not essential, consider disabling it to ensure all traffic, including DNS, is routed through the VPN tunnel. Network monitoring tools can be employed to detect DNS requests leaking outside the VPN tunnel. Additionally, configuring Windows network settings to enforce DNS over HTTPS (DoH) or DNS over TLS (DoT) can help protect DNS queries from interception. Organizations should educate users about the risks of split tunneling and enforce policies that minimize exposure. Regularly reviewing VPN client updates and security advisories is essential to stay protected against similar vulnerabilities.