Our response to an OpenVPN denial of service vulnerability

Hello everyone!

We wanted to keep you informed on a new security vulnerability that affected OpenVPN late last month. Fortunately, we're not aware of any cases where this affected us, but we wanted to let you know that we have been on top of things and that we took swift action to address the vulnerability. We’ve patched all of our OpenVPN servers and aren’t susceptible to this bug.

The vulnerability, outlined here, allows hackers to crash OpenVPN servers in a denial of service attack.

How might this have affected us? With this vulnerability, hackers could have signed up for ExpressVPN accounts (or the VPN service-target of their choice), connected using the OpenVPN protocol, then sent malicious data that would have caused the server to crash and become unavailable for other users.

Thankfully, as mentioned earlier, we're not aware of any cases where this happened.

In short: vulnerability discovered, we took swift action to patch our servers, and all systems look good!

Have a great day everybody!

Happy VPNing,
ExpressVPN