Split tunneling is disabled in the latest version of ExpressVPN for Windows (12.73.0). This is a temporary change, and it will be reversed after ExpressVPN patches a newly discovered DNS bug. Other versions of the ExpressVPN app still support split tunneling.
The DNS vulnerability was discovered by Attila Tomaschek, a staff writer at CNET. Tomaschek observed that DNS requests were not sent to ExpressVPN’s servers when split tunneling was enabled. ExpressVPN successfully reproduced the vulnerability, but only in “Only allow selected apps to use the VPN” split-tunneling mode. And, even then, DNS leakage was an occasional and inconsistent problem.
It seems that the vulnerability was introduced with version 12.23.1 of ExpressVPN for Windows, which was released in May of 2022. It went undetected for nearly two years, presumably because it’s so niche and hit-or-miss. Funnily enough, split tunneling is still functioning properly in Version 10 of the ExpressVPN Windows app.
ExpressVPN estimates that 1% of Windows users meet the criteria for this vulnerability. If you happen to be part of this 1%, your DNS requests may have been exposed to your DNS provider, which is usually your ISP. But your actual web traffic remained encrypted. In other words, your ISP or third-party DNS provider may have seen domain names (like google.com), but it did not see the individual web pages or content that you interacted with. Location spoofing may also fail when a DNS leak occurs.
The DNS bug affects an incredibly small subset of users. Still, ExpressVPN is taking a proactive approach. Split-tunnel functionality is completely disabled in version 12.73.0 of ExpressVPN for Windows, and it won’t be re-enabled until a bug fix is found. We appreciate ExpressVPN’s response to the DNS bug, though the company’s dramatically-titled announcement seems to have startled some people.
A future update will resolve ExpressVPN’s DNS bug and enable split-tunneling functionality. Additional information is available on the ExpressVPN FAQ. Customers are asked to update their ExpressVPN for Windows installation, but this may be unnecessary, as the app should update automatically. Those who are using ExpressVPN Version 10 for Windows do not need to take any action. The bug only affects ExpressVPN Version 12.
Source: ExpressVPN