Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
The vulnerable drivers were exploited in ‘Bring Your Own Vulnerable Driver’ (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.
“An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim’s machine,” explains a warning from CERT/CC.
“Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. “
As BioNTdrv.sys is a kernel-level driver, threat actors can exploit vulnerabilities to execute commands with the same privileges as the driver, bypassing protections and security software.
Microsoft researchers discovered all five flaws, noting that one of them, CVE-2025-0289, is leveraged in attacks by ransomware groups. However, the researchers did not disclose what ransomware gangs were exploiting the flaw as a zero-day.
“Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code,” reads the CERT/CC bulletin.
“These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft’s Vulnerable Driver Blocklist.”
The Paragon Partition Manager flaws discovered by Microsoft are:
- CVE-2025-0288 – Arbitrary kernel memory write caused by the improper handling of the ‘memmove’ function, allowing attackers to write to kernel memory and escalate privileges.
- CVE-2025-0287 – Null pointer dereference arising from a missing validation of a ‘MasterLrp’ structure in the input buffer, enabling the execution of arbitrary kernel code.
- CVE-2025-0286 – Arbitrary kernel memory write caused by the improper validation of user-supplied data lengths, allowing attackers to execute arbitrary code.
- CVE-2025-0285 – Arbitrary kernel memory mapping caused by the failure to validate user-supplied data, enabling privilege escalation by manipulating kernel memory mappings.
- CVE-2025-0289 – Insecure kernel resource access caused by the failure to validate the ‘MappedSystemVa’ pointer before passing it to ‘HalReturnToFirmware,’ leading to potential compromise of system resources.
The first four vulnerabilities impact Paragon Partition Manager versions 7.9.1 and previous, while CVE-2025-0298, the actively exploited flaw, impacts version 17 and older.
Users of the software are recommended to upgrade to the latest version, which contains BioNTdrv.sys version 2.0.0, which addresses all of the mentioned flaws.
However, it’s important to note that even users who don’t have Paragon Partition Manager installed are not safe from attacks. BYOVD tactics don’t rely on the software being present on the target’s machine.
Instead, threat actors include the vulnerable driver with their own tools, allowing them to load it into Windows and escalate privileges.
Microsoft has updated its ‘Vulnerable Driver Blocklist’ to block the driver from loading in Windows, so users and organizations should verify the protection system is active.
You can check if the blocklist is enabled by going to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist and making sure the setting is enabled.
.jpg)
Source: BleepingComputer
A warning on Paragon Software’s site also warns that users must upgrade Paragon Hard Disk Manager by today, as it utilizes the same driver, which will be blocked by Microsoft today.
While it is unclear what ransomware gangs are exploiting the Paragon flaw, BYOVD attacks have become increasingly popular among cybercriminals as they allow them to easily gain SYSTEM privileges on Windows devices.
Threat actors known to be utilizing BYOVD attacks include Scattered Spider, Lazarus, BlackByte ransomware, LockBit ransomware, and many more.
For this reason, it is important to enable the Microsoft Vulnerable Driver Blocklist feature to prevent vulnerable drivers from being used on your Windows devices.