Threat actors have recently been taking advantage of a security vulnerability in Paragon Partition Manager’s BioNTdrv.sys driver to carry out ransomware attacks with the goal of escalating privileges and executing arbitrary code. This zero-day flaw, officially identified as CVE-2025-0289, is just one of a series of five vulnerabilities discovered by Microsoft, as reported by the CERT Coordination Center (CERT/CC).
The set of vulnerabilities, which CERT/CC elaborated on, includes arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. With this information now public, it opens the door to potential exploitation by malicious actors seeking to compromise systems through the identified weaknesses in the Paragon Partition Manager driver.
In a theoretical attack scenario outlined by security experts, a threat actor with local access to a Windows machine could exploit the vulnerabilities linked to the BioNTdrv.sys driver to increase their privileges or cause a denial-of-service (DoS) situation. The fact that this driver is signed by Microsoft could further enable threat actors to leverage what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack on systems lacking the specific driver, thereby enabling them to execute malicious code with elevated privileges.
The list of vulnerabilities affecting BioNTdrv.sys versions 1.3.0 and 1.5.1, are as follows:
– CVE-2025-0285: An arbitrary kernel memory mapping vulnerability in version 7.9.1 that allows attackers to escalate privileges.
– CVE-2025-0286: An arbitrary kernel memory write vulnerability in version 7.9.1 that can be exploited to execute arbitrary code on the victim’s system.
– CVE-2025-0287: A null pointer dereference vulnerability in version 7.9.1 that permits the execution of arbitrary kernel code for privilege escalation.
– CVE-2025-0288: An arbitrary kernel memory vulnerability in version 7.9.1 that facilitates writing arbitrary kernel memory for privilege escalation.
– CVE-2025-0289: An insecure kernel resource access vulnerability in version 17 that enables attackers to compromise the affected service.
To address these vulnerabilities, Paragon Software has released version 2.0.0 of the driver with the necessary patches. Additionally, the susceptible version of the driver has been added to Microsoft’s driver blocklist as a preventive measure against further exploitation.
These developments come shortly after Check Point disclosed details about a widespread malware campaign that leveraged another vulnerable Windows driver associated with Adlice’s product suite (“truesight.sys”) to evade detection and deploy the Gh0st RAT malware.
As security researchers continue to identify and address vulnerabilities in various software components, it underscores the importance of promptly applying security updates and patches to safeguard against potential cyber threats. Organizations and individuals alike are advised to stay vigilant and keep their systems up-to-date to mitigate the risk of falling victim to exploits targeting known vulnerabilities.