Threat actors have been exploiting a security vulnerability in Paragon Partition Manager’s BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code.
The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC).
“These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability,” CERT/CC said.
In a hypothetical attack scenario, an adversary with local access to a Windows machine can exploit these shortcomings to escalate privileges or cause a denial-of-service (DoS) condition by taking advantage of the fact that “BioNTdrv.sys” is signed by Microsoft.
This could also pave the way for what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack on systems where the driver is not installed, thereby allowing the threat actors to obtain elevated privileges and execute malicious code.
The list of vulnerabilities, which impact BioNTdrv.sys versions 1.3.0 and 1.5.1, is as follows –
- CVE-2025-0285 – An arbitrary kernel memory mapping vulnerability in version 7.9.1 caused by a failure to validate user-supplied data lengths. Attackers can exploit this flaw to escalate privileges.
- CVE-2025-0286 – An arbitrary kernel memory write vulnerability in version 7.9.1 due to improper validation of user-supplied data lengths. This flaw can allow attackers to execute arbitrary code on the victim’s machine.
- CVE-2025-0287 – A null pointer dereference vulnerability in version 7.9.1 caused by the absence of a valid MasterLrp structure in the input buffer. This allows an attacker to execute arbitrary kernel code, enabling privilege escalation.
- CVE-2025-0288 – An arbitrary kernel memory vulnerability in version 7.9.1 caused by the memmove function, which fails to sanitize user-controlled input. This allows an attacker to write arbitrary kernel memory and achieve privilege escalation.
- CVE-2025-0289 – An insecure kernel resource access vulnerability in version 17 caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware. This allows attackers to compromise the affected service.
The vulnerabilities have since been addressed by Paragon Software with version 2.0.0 of the driver, with the susceptible version of the driver added to Microsoft’s driver blocklist.
The development comes days after Check Point revealed details of a large-scale malware campaign that leveraged another vulnerable Windows driver associated with Adlice’s product suite (“truesight.sys”) to bypass detection and deploy the Gh0st RAT malware.
