CVE-2024-25728

ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/	Third Party Advisory
https://www.expressvpn.com/blog/windows-app-dns-requests/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:expressvpn:expressvpn:*:*:*:*:*:windows:*:*

History

30 Oct 2024, 20:35

Type	Values Removed	Values Added
CWE		CWE-922

05 Sep 2024, 13:54

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		NVD-CWE-noinfo
First Time		Expressvpn Expressvpn expressvpn
CPE		cpe:2.3:a:expressvpn:expressvpn::::::windows::*
References	~~() https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ -~~	() https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ - Third Party Advisory
References	~~() https://www.expressvpn.com/blog/windows-app-dns-requests/ -~~	() https://www.expressvpn.com/blog/windows-app-dns-requests/ - Vendor Advisory

11 Feb 2024, 22:29

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-11 22:15

Updated : 2024-10-30 20:35

NVD link : CVE-2024-25728

Mitre link : CVE-2024-25728

CVE.ORG link : CVE-2024-25728

JSON object : View

Products Affected

expressvpn

expressvpn

CWE

NVD-CWE-noinfo CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-25728", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-11T22:15:08.360", "references": [{"url": "https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.expressvpn.com/blog/windows-app-dns-requests/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users."}, {"lang": "es", "value": "ExpressVPN anterior a 12.73.0 en Windows, cuando se utiliza t\u00fanel dividido, env\u00eda solicitudes DNS de acuerdo con la configuraci\u00f3n de Windows (por ejemplo, las env\u00eda a servidores DNS operados por el ISP del usuario en lugar de a los servidores DNS de ExpressVPN), lo que puede permitir a atacantes remotos obtener informaci\u00f3n confidencial sobre sitios web visitados por usuarios de VPN."}], "lastModified": "2024-10-30T20:35:11.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:expressvpn:expressvpn:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "4595D351-20E9-40D8-AB7C-32340A0DD8B1", "versionEndExcluding": "12.73.0", "versionStartIncluding": "12.23.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}