ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.
References
Link | Resource |
---|---|
https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ | Third Party Advisory |
https://www.expressvpn.com/blog/windows-app-dns-requests/ | Vendor Advisory |
Configurations
History
30 Oct 2024, 20:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-922 |
05 Sep 2024, 13:54
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | NVD-CWE-noinfo | |
First Time |
Expressvpn
Expressvpn expressvpn |
|
CPE | cpe:2.3:a:expressvpn:expressvpn:*:*:*:*:*:windows:*:* | |
References | () https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ - Third Party Advisory | |
References | () https://www.expressvpn.com/blog/windows-app-dns-requests/ - Vendor Advisory |
11 Feb 2024, 22:29
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-11 22:15
Updated : 2024-10-30 20:35
NVD link : CVE-2024-25728
Mitre link : CVE-2024-25728
CVE.ORG link : CVE-2024-25728
JSON object : View
Products Affected
expressvpn
- expressvpn
CWE