Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.
"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," explains a warning from CERT/CC.
"Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. "
As BioNTdrv.sys is a kernel-level driver, threat actors can exploit vulnerabilities to execute commands with the same privileges as the driver, bypassing protections and security software.
Microsoft researchers discovered all five flaws, noting that one of them, CVE-2025-0289, is leveraged in attacks by ransomware groups. However, the researchers did not disclose what ransomware gangs were exploiting the flaw as a zero-day.
"Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code," reads the CERT/CC bulletin.
"These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft's Vulnerable Driver Blocklist."
The Paragon Partition Manager flaws discovered by Microsoft are:
- CVE-2025-0288 – Arbitrary kernel memory write caused by the improper handling of the 'memmove' function, allowing attackers to write to kernel memory and escalate privileges.
- CVE-2025-0287 – Null pointer dereference arising from a missing validation of a 'MasterLrp' structure in the input buffer, enabling the execution of arbitrary kernel code.
- CVE-2025-0286 – Arbitrary kernel memory write caused by the improper validation of user-supplied data lengths, allowing attackers to execute arbitrary code.
- CVE-2025-0285 – Arbitrary kernel memory mapping caused by the failure to validate user-supplied data, enabling privilege escalation by manipulating kernel memory mappings.
- CVE-2025-0289 – Insecure kernel resource access caused by the failure to validate the 'MappedSystemVa' pointer before passing it to 'HalReturnToFirmware,' leading to potential compromise of system resources.
The first four vulnerabilities impact Paragon Partition Manager versions 7.9.1 and previous, while CVE-2025-0298, the actively exploited flaw, impacts version 17 and older.
Users of the software are recommended to upgrade to the latest version, which contains BioNTdrv.sys version 2.0.0, which addresses all of the mentioned flaws.
However, it's important to note that even users who don't have Paragon Partition Manager installed are not safe from attacks. BYOVD tactics don't rely on the software being present on the target's machine.
Instead, threat actors include the vulnerable driver with their own tools, allowing them to load it into Windows and escalate privileges.
Microsoft has updated its 'Vulnerable Driver Blocklist' to block the driver from loading in Windows, so users and organizations should verify the protection system is active.
You can check if the blocklist is enabled by going to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist and making sure the setting is enabled.
.jpg)
Source: BleepingComputer
A warning on Paragon Software's site also warns that users must upgrade Paragon Hard Disk Manager by today, as it utilizes the same driver, which will be blocked by Microsoft today.
While it is unclear what ransomware gangs are exploiting the Paragon flaw, BYOVD attacks have become increasingly popular among cybercriminals as they allow them to easily gain SYSTEM privileges on Windows devices.
Threat actors known to be utilizing BYOVD attacks include Scattered Spider, Lazarus, BlackByte ransomware, LockBit ransomware, and many more.
For this reason, it is important to enable the Microsoft Vulnerable Driver Blocklist feature to prevent vulnerable drivers from being used on your Windows devices.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Comments
GT500 - 1 year ago
I can't register my license for Paragon Hard Disk Manager 25th Anniversary LE to check if there's a new version to download (the software has no built-in update function), and the separate security patch that you can download and install errors out on my computer. I contacted their support and sent them the log, so hopefully they will fix it.
FYI: Paragon Software's KB article about this driver vulnerability is at the following URL, and the instructions for installing the security patch without updating Paragon's software is at the bottom of the article:
https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys
GT500 - 1 year ago
It's been a week, and no reply from Paragon support. It's possible they're just overloaded with support tickets from people concerned about the vulnerability, but it still seems odd for it to be an entire week without a reply.
OpBarras - 9 months ago
The 25th Anniversary LE became a freebie around 2020, it's not officially supported, that would require purchasing the current version 17. You could snag a copy of their WinPE ISO and write it to a bootable USB stick using Rufus, this would bring you up to version 17.20.17. The downside of course is you can't conveniently use it as an installed app, but for me at least that's not a deal breaker and avoids having Biontdrv-sys installed. Remember that Paragon doesn't need to be installed for miscreants to create havoc using the arbitrary kernel memory write vulnerability etc of Biontdrv-sys. If the Vulnerable Driver Block list is not enabled in your Windows Security settings, and only if an attacker has physical access to your machine, installing unpatched Biontdrv-sys would be easy. If no one else has access to your machine and the Vulnerable Driver Block list is enabled then you have no worries.
GT500 - 9 months ago
I finally received a reply from Paragon Software Support today. They attached an installer to the e-mail to update the driver. The installer file was digitally signed by Paragon Software, and Windows said the signature was "OK". I confirmed with System Informer that the driver version is now 2.0.0.0: https://i.imgur.com/cSzDfDn.png
For the curious:
https://www.virustotal.com/gui/file/745e5d03e22e5e9f58f175f78a56b42a0ded0fb713e5b40625790b93ff903df7