CVE-2024-25728

ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.
Configurations

Configuration 1 (hide)

cpe:2.3:a:expressvpn:expressvpn:*:*:*:*:*:windows:*:*

History

30 Oct 2024, 20:35

Type Values Removed Values Added
CWE CWE-922

05 Sep 2024, 13:54

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE NVD-CWE-noinfo
First Time Expressvpn
Expressvpn expressvpn
CPE cpe:2.3:a:expressvpn:expressvpn:*:*:*:*:*:windows:*:*
References () https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ - () https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ - Third Party Advisory
References () https://www.expressvpn.com/blog/windows-app-dns-requests/ - () https://www.expressvpn.com/blog/windows-app-dns-requests/ - Vendor Advisory

11 Feb 2024, 22:29

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-11 22:15

Updated : 2024-10-30 20:35


NVD link : CVE-2024-25728

Mitre link : CVE-2024-25728

CVE.ORG link : CVE-2024-25728


JSON object : View

Products Affected

expressvpn

  • expressvpn
CWE
NVD-CWE-noinfo CWE-922

Insecure Storage of Sensitive Information