Microsoft researchers have identified five vulnerabilities in the BioNTdrv.sys driver, utilized by the widely used Paragon Partition Manager software, designed for managing hard drive partitions. One of these vulnerabilities is already being actively exploited by ransomware groups to obtain SYSTEM-level privileges in Windows.
Malicious actors are employing the BYOVD (Bring Your Own Vulnerable Driver) technique, injecting the flawed driver into targeted systems to escalate privileges. CERT/CC has issued a warning that a local attacker could leverage these vulnerabilities to escalate privileges or create conditions for a denial-of-service (DoS) attack.
Because the driver is signed by Microsoft, the attack can be executed even on systems where Paragon Partition Manager is not installed. The vulnerabilities in BioNTdrv.sys allow attackers to execute commands with the highest privileges, bypassing security mechanisms and antivirus software.
Below is the full list of identified issues:
- CVE-2025-0288 – A kernel memory write flaw caused by improper handling of the
memmovefunction, enabling attackers to modify memory contents and escalate privileges. - CVE-2025-0287 – A null pointer dereference vulnerability due to a lack of validation in the
MasterLrpstructure within the input buffer, allowing arbitrary code execution in kernel mode. - CVE-2025-0286 – A vulnerability stemming from improper validation of user-supplied data length, which permits execution of arbitrary code in the kernel.
- CVE-2025-0285 – An arbitrary kernel memory mapping flaw caused by insufficient data validation, allowing attackers to manipulate memory mapping and elevate privileges.
- CVE-2025-0289 – A vulnerability related to unsafe access to kernel resources, enabling attackers to compromise system resources.
Of the five identified vulnerabilities, CVE-2025-0289 is considered the most critical, as it is already being actively exploited by ransomware operators.
Although developers at Paragon Software urge users to immediately update the software to the latest version, which includes the patched BioNTdrv.sys 2.0.0, the threat persists even for those who do not use Paragon Partition Manager, as the BYOVD technique does not require the software to be installed on the targeted device. Hackers can independently load the vulnerable driver and launch a successful attack.
Nevertheless, there is an effective way to safeguard systems. Since Microsoft has already added the vulnerable driver to its blocklist, Windows users must ensure that the “Blocked Drivers List” feature is enabled in their system settings. To check its status in Windows 11, users can enter “Core Isolation” in the Start menu search bar.
For legitimate users of Partition Manager or Hard Disk Manager, updating to the latest version is essential, as Windows will inevitably block the vulnerable driver upon detection, rendering Paragon’s software inoperable.
Although the specific ransomware groups exploiting this vulnerability have not been named, it is well known that BYOVD techniques are actively used by cybercriminal groups such as Scattered Spider, Lazarus Group, BlackByte, LockBit, and others. Given this, it is crucial to activate Windows’ security mechanisms to prevent the exploitation of vulnerable drivers.
