Paragon Partition Manager Driver Vulnerability Exploited in Ransomware Attacks

By /

Listen to this Post

A recently discovered vulnerability in Paragon Partition

the Vulnerabilities

The BioNTdrv.sys driver, integral to Paragon Partition Manager, contains multiple critical vulnerabilities that allow attackers to execute arbitrary code, escalate privileges, or cause system crashes. Microsoft’s CERT Coordination Center (CERT/CC) identified a set of five vulnerabilities impacting different versions of the driver. These include kernel memory mapping and write flaws, null pointer dereferencing, insecure kernel resource access, and a memory move vulnerability.

The most concerning aspect of this flaw is that it allows an attacker with local access to a system to exploit these weaknesses for privilege escalation or Denial of Service (DoS) attacks. Attackers can leverage the fact that the BioNTdrv.sys driver is signed by Microsoft to bypass security measures. In some cases, adversaries can also carry out Bring Your Own Vulnerable Driver (BYOVD) attacks, enabling them to run arbitrary malicious code.

The vulnerabilities, which affect BioNTdrv.sys versions 1.3.0 and 1.5.1, were disclosed along with their respective CVEs:

– CVE-2025-0285: Arbitrary kernel memory mapping.

– CVE-2025-0286: Arbitrary kernel memory write.

– CVE-2025-0287: Null pointer dereference.

– CVE-2025-0288: Arbitrary kernel memory write through memmove.

– CVE-2025-0289: Insecure kernel resource access.

Paragon Software has released a patch in version 2.0.0 to address these vulnerabilities, and Microsoft has added the affected driver versions to their driver blocklist to prevent further exploitation.

What Undercode Says: Analyzing the Vulnerabilities

The exploitation of the BioNTdrv.sys driver serves as a reminder of the crucial role drivers play in system security. Though often overlooked in the broader cybersecurity landscape, drivers are essential components of any operating system, acting as intermediaries between software applications and hardware. However, when vulnerabilities exist within these drivers, the consequences can be devastating.

In this case, the vulnerabilities exploited in Paragon’s Partition Manager are particularly dangerous because they allow for privilege escalation and arbitrary code execution. An attacker gaining local access to a vulnerable system can easily exploit these flaws to execute malicious code, elevating their privileges and gaining control over the machine. These types of flaws are especially concerning because they provide a direct path to compromise system integrity and cause severe damage, including the installation of ransomware, data theft, or disruption of services.

What stands out in this case is the presence of the Bring Your Own Vulnerable Driver (BYOVD) attack vector. This tactic involves attackers deploying their own malicious, vulnerable drivers on a system where they wouldn’t normally be present. Since BioNTdrv.sys is signed by Microsoft, it adds a level of trustworthiness, which helps malicious actors bypass security measures and execute their attacks undetected. This method reflects a growing trend among threat actors to abuse trusted software components to infiltrate systems, making it increasingly difficult for traditional security measures to detect and mitigate such threats.

The fact that this vulnerability has been widely reported, and that Microsoft has already added the affected versions to its driver blocklist, shows that the security community is responding quickly to emerging threats. However, the rapid development of exploits targeting such vulnerabilities indicates that cybercriminals are becoming more skilled at exploiting flaws in low-level system components.

The impact of these vulnerabilities extends beyond the immediate threat. It raises concerns about the security of third-party drivers in general, particularly those signed by reputable organizations. With malicious actors targeting these trusted components, it is clear that enterprises and individual users must remain vigilant and ensure their systems are regularly updated and protected against potential driver-based attacks.

In conclusion, while Paragon Software has patched the issue, the incident underscores the need for continuous vigilance when it comes to system drivers. This is not just an isolated issue with Paragon’s software but part of a broader trend where drivers are increasingly becoming targets for exploitation.

Fact Checker Results

  1. CVE-2025-0289 has been validated as a real vulnerability affecting Paragon Partition Manager’s BioNTdrv.sys driver.
  2. Microsoft has officially added the affected driver versions to their driver blocklist.
  3. Paragon Software has released version 2.0.0 to fix the vulnerabilities, addressing all identified flaws.

References:

Reported By: https://thehackernews.com/2025/03/hackers-exploit-paragon-partition.html
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: