Threat Actors Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks
Cybercriminals have been actively exploiting a security vulnerability in the BioNTdrv.sys driver of Paragon Partition Manager to escalate privileges and execute arbitrary code in ransomware attacks.
The zero-day flaw, identified as CVE-2025-0289, is part of a broader set of five vulnerabilities discovered by Microsoft, according to the CERT Coordination Center (CERT/CC).
“These vulnerabilities include arbitrary kernel memory mapping and write flaws, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability,” CERT/CC stated.
In a potential attack scenario, an adversary with local access to a Windows system could exploit these weaknesses to gain elevated privileges or trigger a denial-of-service (DoS) condition. The risk is heightened because BioNTdrv.sys is signed by Microsoft, making it a prime target for abuse.
Additionally, attackers could execute a Bring Your Own Vulnerable Driver (BYOVD) attack on systems where the driver is not installed, enabling them to gain higher privileges and execute malicious code.
List of Vulnerabilities Affecting BioNTdrv.sys Versions 1.3.0 and 1.5.1
- CVE-2025-0285 – Arbitrary kernel memory mapping flaw in version 7.9.1 due to improper validation of user-supplied data lengths, allowing privilege escalation.
- CVE-2025-0286 – Arbitrary kernel memory write vulnerability in version 7.9.1, enabling attackers to execute arbitrary code.
- CVE-2025-0287 – Null pointer dereference in version 7.9.1, allowing attackers to execute kernel-level code and escalate privileges.
- CVE-2025-0288 – Arbitrary kernel memory vulnerability in version 7.9.1, caused by improper input sanitization in the memmove function, allowing privilege escalation.
- CVE-2025-0289 – Insecure kernel resource access vulnerability in version 17 due to improper validation of the MappedSystemVa pointer, enabling system compromise.
Paragon Software has since patched these vulnerabilities in version 2.0.0 of the driver. Additionally, Microsoft has added the affected driver versions to its driver blocklist to mitigate exploitation.
This development follows recent research by Check Point, which exposed a large-scale malware campaign leveraging another vulnerable Windows driver from Adlice’s product suite (truesight.sys) to bypass security measures and deploy the Gh0st RAT malware.
