ExpressVPN Rolls Out Major Upgrade to Its Already Impressive Lightway Protocol
When ExpressVPN first developed Lightway in 2020, the protocol was written in C, a programming language originally developed in the early '70s but still widely popular because of its simplicity and flexibility. Along with the original version of Lightway, other VPN protocols like OpenVPN and WireGuard are also implemented in C. But ExpressVPN says that reimplementing Lightway in Rust offers several distinct advantages over the protocol's previous iteration in C.
First is that Rust can make Lightway even more secure than it already is because using Rust eliminates certain vulnerabilities commonly found in C due to mishandling memory (Rust's memory safety features nullify such a risk). Also, Rust can give the protocol a boost when it comes to overall performance and battery life. Finally, Rust's codebase will allow ExpressVPN engineers to be more nimble and faster with updates and improvements to Lightway going forward.
'Upgrading Lightway from its previous C code to Rust was a strategic and straightforward decision to enhance performance, and security while ensuring longevity,' said Pete Membrey, ExpressVPN's chief research officer. 'With Rust widely recognized as the high-performing, secure, and reliable language, it was a natural choice for evolving Lightway.'
Essentially, what this all means for you is that the new implementation of Lightway should make your experience with ExpressVPN faster, more secure and more reliable. That's saying a lot because ExpressVPN is already one of the most secure and reliable VPNs you can buy -- and further solidifies the VPN as one of my top recommendations for users with critical privacy needs like journalists, attorneys, physicians, activists and whistleblowers. Even if you're just looking for general privacy online, there's nothing wrong with giving your privacy an even greater boost with Lightway in Rust.
And although it hasn't been the fastest VPN over the past few years, rolling out Lightway in Rust could give ExpressVPN a much-needed speed boost. This means that you should experience smoother streaming performance, faster downloads, uninterrupted video calls and lower ping during your gaming sessions while connected to ExpressVPN and using the new implementation of Lightway.
So, in theory, Lightway's re-coding should be a major improvement all around to an already stellar VPN. But while a VPN's speed and reliability can be generally pretty evident to the average user, quantifying a VPN protocol's security isn't. ExpressVPN addresses this in a couple of important ways. For one, Lightway is an open-source VPN protocol, meaning that its codebase is publicly available online for anyone to scrutinize or even implement into their own VPN solutions. This makes it possible for experts to validate the security of the protocol and spot any potential vulnerabilities.
Additionally, ExpressVPN commissioned two separate independent audits in late 2024 to validate the security of Lightway in Rust -- one by Cure53 and the other by Praetorian. The two cybersecurity firms worked independently of one another, and both delivered an overall positive assessment of Lightway in Rust's implementation. Cure53 identified one high-severity vulnerability and four 'general weaknesses with lower exploitation potential' while Praetorian found two low-risk vulnerabilities -- all of which were subsequently resolved by ExpressVPN.
'Overall…Cure53's very limited number of findings, especially with only one exploitable vulnerability, can be interpreted as a positive sign for the security of the ExpressVPN Lightway protocol,' Cure53 wrote in its audit report.
ExpressVPN is the undisputed leader in the VPN industry when it comes to transparency through independent audits, undergoing multiple audits every year. While an audit can only validate the state of the VPN at the time of the audit itself, it serves as an important signal of trust and can give the public confidence in the VPN that it's doing what it says it's doing. But being open-source can help fill those gaps because it gives the entire security community the opportunity to examine the code at any time.
'ExpressVPN has always led the industry in third-party evaluation and verification of our software,technology and policies,' Aaron Engel, ExpressVPN's chief information security officer, said in a blog post. 'Having Lightway evaluated by two independent third-party auditors is our way of showing our commitment to transparency while demonstrating our confidence in the technology we have developed.'
Lightway in Rust is being rolled out first to ExpressVPN's Aircove routers on Monday, followed by Android at the end of March, Linux early in the second quarter, MacOS toward the end of the second quarter and finally to Windows by the end of the third quarter.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
23-07-2025
- Yahoo
ExpressVPN patches Windows bug that exposed remote desktop traffic
Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products. ExpressVPN has released a new patch for its Windows app to close a vulnerability that can leave remote desktop traffic unprotected. If you use ExpressVPN on Windows, download version 12.101.0.45 as soon as possible, especially if you use Remote Desktop Protocol (RDP) or any other traffic through TCP port 3389. ExpressVPN announced both the vulnerability and the fix in a blog post earlier this week. According to that post, an independent researcher going by Adam-X sent in a tip on April 25 to claim a reward from ExpressVPN's bug bounty program. Adam-X noticed that some internal debug code which left traffic on TCP port 3389 unprotected had mistakenly shipped to customers. ExpressVPN released the patch about five days later in version 12.101.0.45 for Windows. As ExpressVPN points out in its announcement of the patch, it's unlikely that the vulnerability was actually exploited. Any hypothetical hacker would not only have to be aware of the flaw, but would then have to trick their target into sending a web request over RDP or other traffic that uses port 3389. Even if all the dominos fell, the hacker could only see their target's real IP address, not any of the actual data they transmitted. Even if the danger was small, it's nice to see ExpressVPN responding proactively to flaws in its product — bug bounties are great, but a security product should protect its users with as many safeguards as possible. In addition to closing this vulnerability, they're also adding automated tests that check for debug code accidentally left in production builds. This, plus a successful independent privacy audit earlier in 2025, gives the strong impression of a provider that's on top of things.
Engadget
23-07-2025
- Engadget
ExpressVPN patches Windows bug that exposed remote desktop traffic
ExpressVPN has released a new patch for its Windows app to close a vulnerability that can leave remote desktop traffic unprotected. If you use ExpressVPN on Windows, download version 12.101.0.45 as soon as possible, especially if you use Remote Desktop Protocol (RDP) or any other traffic through TCP port 3389. ExpressVPN announced both the vulnerability and the fix in a blog post earlier this week. According to that post, an independent researcher going by Adam-X sent in a tip on April 25 to claim a reward from ExpressVPN's bug bounty program. Adam-X noticed that some internal debug code which left traffic on TCP port 3389 unprotected had mistakenly shipped to customers. ExpressVPN released the patch about five days later in version 12.101.0.45 for Windows. As ExpressVPN points out in its announcement of the patch, it's unlikely that the vulnerability was actually exploited. Any hypothetical hacker would not only have to be aware of the flaw, but would then have to trick their target into sending a web request over RDP or other traffic that uses port 3389. Even if all the dominos fell, the hacker could only see their target's real IP address, not any of the actual data they transmitted. Even if the danger was small, it's nice to see ExpressVPN responding proactively to flaws in its product — bug bounties are great, but a security product should protect its users with as many safeguards as possible. In addition to closing this vulnerability, they're also adding automated tests that check for debug code accidentally left in production builds. This, plus a successful independent privacy audit earlier in 2025, gives the strong impression of a provider that's on top of things. If you buy something through a link in this article, we may earn commission.
Tom's Guide
22-07-2025
- Tom's Guide
ExpressVPN fixes a bug which could have disclosed user IP addresses
(Image credit: Olemedia / Getty Images) ExpressVPN has updated its Windows app to patch a vulnerability which could have exposed a user's IP address to observers. As one of the best VPNs, ExpressVPN is very secure but mistakes can happen. The provider said in a blog post that code meant for internal testing "mistakenly made it into production builds." Only users in specific conditions were affected, but the bug meant traffic wasn't being routed through the VPN tunnel as expected – however encryption was not impacted. You may like ExpressVPN acted quickly to fix the vulnerability and is recommending all its Windows VPN users upgrade to the latest version of the app. The code meant for internal testing found its way into production build versions 12.97 to 12.101.0.2-beta. It was reported to ExpressVPN in April 2025 by security researcher Adam-X through the provider's bug bounty program – where security researchers can earn cash rewards for reporting vulnerabilities and flaws. ExpressVPN said its team confirmed and triaged the report within hours. The vulnerability centred around Remote Desktop Protocol (RDP). According to ExpressVPN there was only a risk when an RDP connection was in use or when other TCP traffic was routed over port 3389. ExpressVPN said "if a user established a connection using RDP, that traffic could bypass the VPN tunnel." "This did not affect encryption, but it meant that traffic from RDP connections wasn't routed through ExpressVPN as expected." It added that observers such as internet service providers could see that a user was connected to ExpressVPN and that they were using RDP to access remote servers – information that would ordinarily be protected. RDP is most commonly used in enterprise environments, and therefore most users were unaffected. However ExpressVPN said it considers "any risk to privacy unacceptable." A fix was released five days later in version 12.101.0.45. The researcher confirmed the issue was resolved and ExpressVPN closed the report at the end of June. (Image credit: SOPA Images / Getty Images) How severe could this have been? ExpressVPN analysed the issues and believed "the likelihood of real-world exploitation was extremely low." Given the fact a majority of ExpressVPN users are individuals as opposed to enterprise customers, the provider said "the number of affected users is likely small." For a hacker to exploit the vulnerability, they would've needed to be aware of the bug and find a way to route traffic over port 3389. This could've been done by tricking a user into clicking on a malicious link or compromising a popular website to launch a drive-by attack – all while the user was connected to the VPN. As demonstrated by Adam-X, a user's real IP address could've been revealed. But browsing activity couldn't have been seen and encryption was not compromised. ExpressVPN said it was grateful to its community for notifying it of potential issues and suggesting improvements. The provider will strengthen its internal safeguards to ensure this doesn't happen again.
