Recent discoveries have revealed that ransomware groups are exploiting a vulnerability in the Paragon Partition Manager's BioNTdrv.sys driver. This flaw is being used in zero-day attacks to gain SYSTEM privileges on Windows systems, posing significant security risks.

Exploitation Through BYOVD Attacks

The identified vulnerabilities are being exploited through a technique known as "Bring Your Own Vulnerable Driver" (BYOVD). In these attacks, cybercriminals deploy the compromised kernel driver on a target system to elevate their privileges.

Technical Details of the Vulnerability

Microsoft researchers discovered five vulnerabilities within the Paragon Partition Manager driver. One of these, identified as CVE-2025-0289, is actively used by ransomware groups to escalate privileges to the SYSTEM level and execute malicious code.

  • CVE-2025-0288: Arbitrary kernel memory write due to improper handling of the 'memmove' function.
  • CVE-2025-0287: Null pointer dereference from missing validation of a 'MasterLrp' structure.
  • CVE-2025-0286: Arbitrary kernel memory write from improper validation of data lengths.
  • CVE-2025-0285: Arbitrary kernel memory mapping due to failure in validating user-supplied data.
  • CVE-2025-0289: Insecure kernel resource access from failure to validate the 'MappedSystemVa' pointer.

Implications and Mitigation

The vulnerabilities affect Paragon Partition Manager versions 7.9.1 and earlier, with CVE-2025-0289 impacting version 17 and older. Users are advised to upgrade to the latest software version, which includes BioNTdrv.sys version 2.0.0, addressing all known issues.

Even systems without Paragon Partition Manager installed are at risk, as BYOVD attacks do not require the software's presence. Attackers can include the vulnerable driver with their tools to load it into Windows and escalate privileges.

Preventative Measures

Microsoft has updated its Vulnerable Driver Blocklist to prevent the driver from loading in Windows. Users should ensure this protection is enabled by navigating to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist.

The link has been copied!