Microsoft Discovers Critical Vulnerabilities in Paragon Partition Manager’s BioNTdrvsys Driver: Ransomware Exploits and Fixes

By /

Listen to this Post

Microsoft recently uncovered a series of five severe vulnerabilities in the BioNTdrv.sys driver used by Paragon Partition Manager, one of which is already being exploited by ransomware groups. These flaws, found in the kernel-level driver, enable attackers to escalate privileges on Windows systems, with one flaw—CVE-2025-0289—being leveraged in zero-day ransomware attacks. As the vulnerabilities involve a Microsoft-signed driver, attackers can utilize the “Bring Your Own Vulnerable Driver” (BYOVD) technique to compromise systems, even without the actual Paragon Partition Manager installed. This article explores the flaws discovered, the potential damage they could cause, and the steps necessary to protect your system from these vulnerabilities.

Key Vulnerabilities and Exploits

Microsoft identified five vulnerabilities in the BioNTdrv.sys driver of Paragon Partition Manager. These flaws can lead to privilege escalation and denial-of-service (DoS) conditions, with one flaw (CVE-2025-0289) currently being exploited in ransomware attacks. The flaws allow local attackers to execute commands at the kernel level, bypassing security measures. One of the critical issues is that, despite not needing Paragon Partition Manager installed, threat actors can drop the vulnerable driver on a system to gain SYSTEM privileges.

The discovered flaws include arbitrary memory writes, null pointer dereferences, and improper validation of user-supplied data, which allow attackers to execute arbitrary code and escalate privileges. The actively exploited vulnerability impacts versions of Paragon Partition Manager prior to 17, with CVE-2025-0289 affecting versions 7.9.1 and older.

In response, Paragon Software has patched the vulnerabilities, and Microsoft has updated its Vulnerable Driver Blocklist to prevent these driver versions from loading. Users are advised to update their software and ensure the Blocklist feature is enabled to avoid these threats.

What Undercode Says:

The identification of critical flaws in Paragon Partition

What makes these flaws particularly dangerous is that they are tied to a Microsoft-signed driver. A signed driver carries a level of trust, making it more difficult for security software to flag the driver as malicious. This trust allows attackers to exploit the vulnerabilities in a more stealthy manner, bypassing protections such as antivirus or endpoint detection systems. This stealthy nature is why CVE-2025-0289, in particular, has been exploited by ransomware gangs in zero-day attacks. The threat actors can gain control of the system with elevated privileges and execute their malicious payloads with ease.

The nature of these vulnerabilities also highlights how crucial it is for users to remain up-to-date with software patches and to pay attention to security advisories. The discovery of these flaws is timely, as BYOVD attacks are becoming more common, with known ransomware groups such as LockBit, BlackByte, and Lazarus leveraging this technique. While Microsoft has taken steps to block these drivers from being loaded through its Vulnerable Driver Blocklist, users must ensure that this protection is active on their devices.

Paragon Software has been quick to respond by issuing patches, but this highlights an important takeaway: even software that appears benign, like Paragon Partition Manager, can be used as a vector for attack. Therefore, a proactive approach to cybersecurity—such as keeping software updated, enabling driver blocklists, and being aware of emerging threats—is vital in safeguarding against these evolving threats.

It’s also worth noting that Paragon Software’s warning regarding the update of Paragon Hard Disk Manager further emphasizes the need for users to act quickly. As Microsoft will soon block the vulnerable driver, the window of opportunity for attackers to exploit unpatched systems will close. However, until that happens, users who delay upgrades or fail to activate the appropriate protections remain at risk.

Fact Checker Results:

  1. Vulnerable Drivers Blocked: The vulnerable driver has been added to Microsoft’s Vulnerable Driver Blocklist, which is an essential protective measure for users.
  2. Software Updates: Paragon Software has patched the vulnerabilities and users are encouraged to update to the latest version of Paragon Partition Manager to prevent exploitation.
  3. Ransomware Exploitation: CVE-2025-0289 is actively exploited in zero-day ransomware attacks, though the specific ransomware groups involved remain unidentified.

References:

Reported By: https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2Featured Image

Explore More: