Hackers are actively exploiting a security vulnerability in the Paragon Partition Manager’s BioNTdrv.sys driver, using it in ransomware attacks to gain higher privileges and execute arbitrary code. The zero-day flaw, tracked as CVE-2025-0289, is part of a broader set of five vulnerabilities discovered by Microsoft, as reported by the CERT Coordination Center (CERT/CC).
The Vulnerability
According to CERT/CC, the five identified vulnerabilities in the BioNTdrv.sys driver include issues such as arbitrary kernel memory mapping, write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.
In a potential attack scenario, a cybercriminal with local access to a Windows system can leverage these vulnerabilities to escalate privileges or trigger a denial-of-service (DoS) condition. One of the major concerns is that “BioNTdrv.sys” is signed by Microsoft, making it a prime candidate for Bring Your Own Vulnerable Driver (BYOVD) attacks. Even if the driver is not already installed on a system, attackers can introduce it to gain elevated access and execute malicious code.
Breakdown of Key Vulnerabilities
The affected versions of the BioNTdrv.sys driver are 1.3.0 and 1.5.1. The specific vulnerabilities include:
CVE-2025-0285 – An arbitrary kernel memory mapping flaw in version 7.9.1. This occurs due to a failure to validate user-supplied data lengths, allowing attackers to escalate privileges.
CVE-2025-0286 – An arbitrary kernel memory write vulnerability in version 7.9.1, caused by improper validation of user data lengths. This flaw enables cybercriminals to execute arbitrary code on the compromised machine.
CVE-2025-0287 – A null pointer dereference vulnerability in version 7.9.1. The absence of a valid MasterLrp structure in the input buffer allows attackers to execute kernel-level code and escalate privileges.
CVE-2025-0288 – A memory vulnerability in version 7.9.1, where the memmove function does not properly sanitize user-controlled input. Exploiting this flaw allows attackers to write arbitrary kernel memory, achieving higher system privileges.
CVE-2025-0289 – An insecure kernel resource access vulnerability in version 17. The flaw results from a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware, enabling attackers to compromise system integrity.
Impact and Security Risks
These vulnerabilities pose a serious risk to organizations, as cybercriminals can exploit them to deploy ransomware, steal sensitive data, or establish persistent access to compromised systems. The BYOVD attack vector is particularly concerning, as it allows threat actors to introduce vulnerable drivers into a system to bypass security mechanisms and execute malware undetected.
Mitigation
Paragon Software has addressed these vulnerabilities in version 2.0.0 of the BioNTdrv.sys driver. Additionally, Microsoft has added the vulnerable versions of the driver to its driver blocklist, preventing their execution on Windows systems.
Security experts recommend the following actions to protect against these exploits:
Update to the Latest Driver Version – Ensure that all systems using Paragon Partition Manager are running version 2.0.0 or later.
Enable Driver Blocklisting – Utilize Microsoft’s driver blocklist to prevent vulnerable versions from being loaded.
Implement Endpoint Protection – Deploy advanced endpoint security solutions that can detect and block malicious driver activity.
Monitor for Suspicious Activity – Regularly scan systems for unauthorized driver installations and unusual privilege escalation attempts.
Apply Principle of Least Privilege (PoLP) – Restrict administrative privileges to reduce the impact of potential exploits.
Broader View
This exploitation comes just days after cybersecurity firm Check Point exposed another large-scale malware campaign leveraging a different vulnerable Windows driver. In that instance, attackers used a flaw in Adlice’s “truesight.sys” driver to bypass detection mechanisms and deploy the Gh0st RAT malware.
As cybercriminals continue to exploit driver vulnerabilities, organizations must stay vigilant and adopt proactive security measures. Regular software updates, robust endpoint protection, and continuous monitoring are crucial in mitigating these evolving threats.
Conclusion
The exploitation of the Paragon Partition Manager driver highlights the growing trend of BYOVD attacks, where threat actors leverage signed but vulnerable drivers to bypass security measures. Organizations must prioritize patching vulnerabilities, enforcing security best practices, and staying updated on emerging threats to reduce their risk exposure. By taking a proactive approach to cybersecurity, businesses can better defend against ransomware attacks and other cyber threats targeting critical system components.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Phishing CAPTCHA PDFs Deliver Lumma Stealer Malware via Webflow and GoDaddy