A zero-day vulnerability in a Microsoft-signed driver from Paragon Software is being exploited in ransomware attacks.
CERT Coordination Center on Friday warned in a security advisory that five vulnerabilities were discovered in Paragon Partition Manager’s BioNTdrv.sys driver. Threat actors have already exploited one of the flaws in what are known as “bring your own vulnerable driver” (BYOVD) attacks, in which attackers use signed drivers to compromise systems and evade detection.
According to the advisory, CVE-2025-0289 is an insecure kernel resource access vulnerability that can be used to either escalate privileges or execute DoS attacks on targeted devices. CERT warned the vulnerability can be executed on Windows devices even if Paragon Partition Manager, which partitions hard drives to optimize disk space and performance, is not installed.
“Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code,” CERT said in the advisory. “These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft’s Vulnerable Driver Blocklist.”
Ransomware variant not revealed
It’s unclear what type of ransomware has been used in these attacks. Cybersecurity Dive contacted Microsoft for comment on the exploitation activity.
The CERT advisory includes four other vulnerabilities in the BioNTdrv.sys driver, including CVE-2025-0288, an arbitrary kernel memory vulnerability that can lead to privilege escalation; CVE-2025-0287, a null pointer dereference vulnerability that enables privilege escalation; CVE-2025-0286, an arbitrary kernel memory write vulnerability that allows execution of arbitrary code; and CVE-2025-0285, an arbitrary kernel memory mapping vulnerability that enables privilege escalation.
CERT credited Microsoft with the discovery of all five driver vulnerabilities.
Paragon on Friday released a patch for the BioNTdrv.sys driver, but the security advisory does not include any of the CVEs and makes no mention of the exploitation activity. The software company urged users to upgrade their drivers “in order to comply with changed Microsoft security guidelines and to exclude any security risk related to the presence of the old driver version.”
Cybersecurity Dive contacted Paragon for comment on the CERT report.
Ransomware gangs have abused vulnerable drivers in the past to evade endpoint detection and response products and even terminate their processes before they can identify any malicious activity. For example, Sophos researchers last year discovered RansomHub actors were using a tool called “EDRKillShifter,” which exploits vulnerable drivers to stop EDR detection and elevate privileges on targeted systems.