ExpressVPN has addressed a vulnerability in its Windows client that allowed Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, potentially exposing users' real IP addresses. The issue stemmed from leftover debug code in production builds, and the company has since released a patch to fix it, urging users to update to the latest version for improved security. While the leak affected a small number of users primarily using RDP, ExpressVPN will enhance its internal checks to prevent similar issues in the future.

A large-scale botnet targeting Remote Desktop Protocol (RDP) services in the U.S. has emerged, utilizing over 100,000 IP addresses from various countries. The attacks involve timing attacks and user enumeration techniques, with researchers advising system administrators to block malicious IPs and enhance security measures like VPNs and multi-factor authentication.

RDP poses significant security risks as it is a common target for attackers, making it essential for defenders to understand its event logging. The article details key RDP-related Event IDs, their significance in tracking session activities, and provides a timeline visualization to aid in forensic investigations and identifying unauthorized access. Monitoring successful and unsuccessful logins, session disconnects, and logoffs can help detect suspicious behavior effectively.