Microsoft has identified five critical vulnerabilities within the Paragon Partition Manager’s BioNTdrv.sys driver. Notably, one of these vulnerabilities has been actively exploited by ransomware groups in zero-day attacks, granting hackers SYSTEM-level privileges on Windows systems.
Understanding BYOVD Attacks
The exploited vulnerabilities are typically leveraged through a technique known as Bring Your Own Vulnerable Driver (BYOVD). This approach allows attackers to upload a malicious kernel driver onto the targeted system, thereby escalating their privileges. As stated in a warning from the Cybersecurity and Infrastructure Security Agency (CISA), "An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or initiate a denial-of-service (DoS) attack on the victim’s machine."
Furthermore, since the attack utilizes a Microsoft-signed driver, threat actors can exploit systems even if the Paragon Partition Manager is not installed, which broadens the potential attack surface.
The Risks of Kernel-Level Drivers
BioNTdrv.sys operates at the kernel level, enabling threat actors to exploit vulnerabilities and execute commands at the same privilege level as the driver itself. This capability allows them to bypass essential security measures and protections that are typically integrated into modern operating systems.
Microsoft’s security researchers have flagged five specific vulnerabilities, with CVE-2025-0289 being particularly noteworthy due to its active exploitation in ransomware attacks. While the specific ransomware groups utilizing this vulnerability remain undisclosed, the CERT/CC bulletin indicates that "Microsoft has observed threat actors exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level before executing further malicious code."
Detailed Overview of Vulnerabilities
The identified Paragon Partition Manager vulnerabilities are as follows:
-
CVE-2025-0288 – This flaw can lead to arbitrary kernel memory writes due to improper handling of the ‘memmove’ function, allowing an attacker to escalate privileges.
-
CVE-2025-0287 – This vulnerability arises from a null pointer dereference caused by a missing validation of the ‘MasterLrp’ structure and enables the execution of arbitrary kernel code.
-
CVE-2025-0286 – An arbitrary kernel memory write caused by improper validation of user-supplied data lengths, allowing attackers to execute arbitrary code.
-
CVE-2025-0285 – The failure to validate user-supplied data results in arbitrary kernel memory mapping, enabling attackers to manipulate kernel memory mappings for privilege escalation.
- CVE-2025-0289 – This vulnerability exposes system resources due to insecure kernel resource access, arising from the failure to validate the ‘MappedSystemVa’ pointer before passing it to ‘HalReturnToFirmware.’
The first four vulnerabilities affect Paragon Partition Manager versions up to 7.9.1, while CVE-2025-0289 impacts versions 17 and older.
Mitigating Risks and Recommended Actions
Users of the Paragon Partition Manager are strongly advised to upgrade to the latest version, which includes the patched BioNTdrv.sys version 2.0.0, addressing all identified vulnerabilities. However, it’s crucial to recognize that systems without Paragon software installed remain vulnerable to BYOVD tactics, as attackers can embed the compromised driver within their tools, allowing exploitation.
To enhance defense mechanisms, Microsoft has updated its ‘Vulnerable Driver Blocklist’ to prevent the loading of the affected driver on Windows systems. Users and organizations should ensure this protective measure is active. To verify the activation of the blocklist, navigate to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist.
Conclusion
In a recent advisory, Paragon Software has also cautioned users to upgrade the Paragon Hard Disk Manager, which utilizes the same driver that Microsoft plans to block. Given the rising prevalence of BYOVD attacks, it is imperative for users to activate the Microsoft Vulnerable Driver Blocklist to safeguard Windows devices against these sophisticated threats.
Cybercriminals employing BYOVD techniques, such as groups identified as Scattered Spider, Lazarus, BlackByte ransomware, and LockBit ransomware, have illustrated the necessity for heightened vigilance in organizational cybersecurity practices. Ensuring driver vulnerabilities are mitigated is a significant step toward protecting sensitive data and maintaining system integrity in today’s threat landscape.