SINGAPORE, SG, NY / ACCESS Newswire / October 18, 2025 / X-VPN, issued a security advisory addressing Blind In/On-Path ("path") attacks this week, outlining what the company has verified so far, actions already taken, and next steps with platform vendors. In simple terms, this refers to network path signals-clues on the route to the internet that may show a VPN is active, not decrypted content. It does not mean attackers can read messages or decrypt traffic. An independent review is underway to validate the scope and mitigations. X-VPN is operated by LIGHTNINGLINK NETWORKS PTE. LTD. in Singapore.

What's new today

Evidence update

Internal tests did not observe plaintext leaving the encrypted VPN tunnel. What X-VPN did see relates to device reactions on risky or tampered Wi-Fi-think of someone tapping the outside of a safe to guess what's inside. The safe stays locked; the tapping can still make a sound.

Linux hardening

Interface-level rules that drop unsolicited traffic to the tunnel are now live in the current Linux client, so suspicious packets are stopped early before they trigger any response.

Android focus

Client-side app checks (heuristics) are in controlled testing; these reduce risk, but a full fix requires Android system rules to change-something apps cannot do alone.

Vendor coordination

Reproduction artifacts and timelines have been submitted to Google through responsible channels, so vendor teams can confirm and address the behavior at the system level.

Transparency

An independent assessment of logging enforcement, encryption behavior, and tunnel integrity is in progress; X-VPN will publish a public summary of the results.

What the issue is-in plain terms

On hostile or tampered networks (for example, a rogue public Wi-Fi), an attacker may send crafted probes and watch how a device reacts. Those reactions can reveal that a VPN session is active and, in some conditions, can interrupt the connection. This is about how packets are handled on the path-not about cracking encryption. In X-VPN's verification runs, the encrypted tunnel and connection setup checks (formerly "handshake protections") worked as designed, and session data stayed protected.

For full background and our test methodology, see Official Statement from X-VPN on Blind In/On-Path Attacks.

Current impact and scope

The clearest network path signals were observed on Android, where apps cannot change certain system networking rules. Similar signals can appear on Linux, but administrators can tighten controls-which is why the Linux client now drops traffic that should never reach the tunnel. Under the same test conditions, X-VPN did not reproduce equivalent problematic behavior on Windows, macOS, or iOS. Across apps, X-VPN has raised monitoring thresholds to cut noise and surface meaningful events sooner.

Mitigations shipped and in flight

Linux (shipping)

The client discards unsolicited packets aimed at the virtual tunnel before they can elicit responses, shrinking what an attacker can observe on unfriendly networks.

Android (testing)

X-VPN is evaluating app-layer detections for abnormal probe patterns. Because apps cannot alter Android system rules, X-VPN are rolling these out carefully to avoid stability or performance issues while still reducing exposure.

Service posture

Configuration baselines for encryption and protections that prevent weaker encryption (anti-downgrade) have been re-reviewed. X-VPN supports WireGuard, OpenVPN, and Everest across major platforms to keep connections resilient when conditions change.

Vendor coordination and tracking

X-VPN has provided Google with reproduction traces, scope notes, and timelines under responsible disclosure. As platform vendors implement changes, X-VPN will align client updates and publish clear guidance for users.

Guidance for users and IT teams

For everyday users on phones and laptops, a few habits help most: prefer mobile data or trusted Wi-Fi, keep the OS and the X-VPN app updated, and avoid sensitive actions on suspicious networks. The Kill Switch in the Android app helps prevent traffic from leaving the device if the VPN session drops; it is available to all Android users, including the free tier, and can be enabled in settings. For organizations, combine endpoint controls with gateway rules that discard spoofed or out-of-policy traffic, and send events to your SIEM (security monitoring system) so teams are alerted early.

Facts readers often ask about X-VPN

X-VPN maintains a no-logs policy and has initiated an independent review to add third-party verification to that claim. The service offers a free plan with encrypted tunneling and selected locations without requiring an email address, and a Premium plan that expands locations and speeds and supports up to five simultaneous devices per account. Our network spans 1,000+ servers globally. Streaming-optimized locations remain available; if one location is blocked by a platform, switching to another typically restores access.

Why this matters

Path-based attacks highlight the boundary between operating-system networking and what a VPN app can control. By stating what is-and isn't-affected, shipping hardened defaults on Linux, coordinating with Android vendors, and raising monitoring sensitivity, X-VPN aims to lower risk now while pressing for platform-level improvements that close gaps for everyone.

Next steps and transparency

As vendor assessments progress, X-VPN will post dates, version numbers, and change descriptions so readers can track updates. X-VPN will publish a public summary of the independent assessment when it is complete. Security researchers and reporters can reach the team at security@xvpn.io.

About X-VPN

X-VPN is a global privacy service used by over 100 million people. The service is operated by LIGHTNINGLINK NETWORKS PTE. LTD. (Singapore). X-VPN provides multi-protocol connectivity (including WireGuard, OpenVPN, and Everest) designed to protect session privacy across major platforms. Learn more at the X-VPN Trust Center.

Media info:
Email: support@xvpn.io
Website: http://xvpn.io
Contact: Sandra Mitchell

SOURCE: X-VPN