Security researchers have uncovered five significant vulnerabilities in Paragon Partition Manager’s BioNTdrv.sys driver, affecting versions prior to 2.0.0.
These flaws, identified as CVE-2025-0285, CVE-2025-0286, CVE-2025-0287, CVE-2025-0288, and CVE-2025-0289, pose serious security risks, enabling attackers to escalate privileges to SYSTEM level and potentially cause denial-of-service (DoS) scenarios.
Multiple Critical Flaws Discovered in BioNTdrv.sys Driver
The vulnerabilities, discovered by Microsoft researchers, include arbitrary kernel memory mapping and write issues, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.
These flaws primarily affect Paragon Partition Manager version 7.9.1, with CVE-2025-0289 specifically impacting version 17.
Exploitation and Impact
An attacker with local access to a target device can exploit these vulnerabilities, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1, to achieve SYSTEM-level privilege escalation.
This level of access surpasses typical administrator permissions, allowing for extensive system compromise.
Moreover, the vulnerabilities enable attackers to manipulate the driver through device-specific Input/Output Control (IOCTL) calls, potentially resulting in privilege escalation or system crashes, such as the infamous Blue Screen of Death (BSOD).
Of particular concern is the potential for these vulnerabilities to be exploited even on systems where Paragon Partition Manager is not installed.
According to the researchers, attackers can leverage the Bring Your Vulnerable Driver (BYOVD) technique to install and misuse the vulnerable driver, compromising target machines.
Microsoft has observed threat actors exploiting these weaknesses in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation before executing additional malicious code.
Paragon Software has addressed these vulnerabilities by releasing an updated driver, BioNTdrv.sys version 2.0.0, for all their Hard Disk Manager family products starting from version 17.45.0.
This update includes Paragon Hard Disk Manager 17 (all editions), Paragon Partition Manager Community Edition, and Paragon Backup and Recovery Community Edition.
Additionally, Paragon Software has made available a standalone security patch for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016/2019/2022/2025.
This patch updates the driver version in all product families with marketing versions 16 and 17.
Microsoft has also taken action by adding the vulnerable BioNTdrv.sys versions to their Vulnerable Driver Blocklist.
Users are advised to ensure their Vulnerable Driver Blocklist is active, which can be verified under Windows Security settings.
For Windows 11 devices, this blocklist is enabled by default.
As these vulnerabilities pose significant security risks, users and organizations must update their Paragon Partition Manager installations to the latest version and ensure that appropriate security measures are in place to prevent potential exploitation.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.