Introduction
Ransomware actors are actively exploiting critical vulnerabilities in the BioNTdrv.sys driver of Paragon Partition Manager [3], particularly in versions 17 and earlier. These vulnerabilities pose significant security risks, allowing attackers to gain elevated privileges and execute malicious code on Windows systems.
Description
Ransomware actors are exploiting a series of critical memory vulnerabilities in the BioNTdrv.sys driver of Paragon Partition Manager [3], specifically in versions 17 and earlier, including 1.3.0 and 1.5.1. Among these vulnerabilities [2] [3] [4] [5] [7] [8], identified as CVE-2025-0285 [3] [4] [7] [9], CVE-2025-0286 [1] [2] [3] [4] [5] [6] [7] [8] [9], CVE-2025-0287 [1] [2] [3] [4] [5] [6] [7] [8] [9], CVE-2025-0288 [1] [2] [3] [4] [5] [6] [7] [8] [9], and CVE-2025-0289 [1] [2] [3] [4] [5] [6] [7] [8] [9], the most notable is CVE-2025-0289, which allows for privilege escalation to SYSTEM-level access on Windows devices through Bring Your Own Vulnerable Driver (BYOVD) attacks. This vulnerability arises from a failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware [1] [3] [6], enabling attackers with local access to gain privileges that exceed typical administrator permissions.
The vulnerabilities are rooted in multiple issues, including arbitrary kernel memory mapping [2] [8], write vulnerabilities [2] [3] [4] [5] [6] [7] [8], a null pointer dereference from an invalid MasterLrp structure [7], and insecure kernel resource access [1] [2] [3] [6] [8]. These oversights facilitate the execution of further malicious code [1], potentially disabling security defenses before deploying ransomware payloads [6]. Ransomware groups such as Scattered Spider [9], BlackByte [9], LockBit [9], and Lazarus Group are actively leveraging these vulnerabilities in their attacks. Notably, attackers can exploit the BioNTdrv.sys driver even if Paragon Partition Manager is not installed, leading to arbitrary code execution and system crashes [5], including Blue Screen of Death (BSOD) [8], which can result in denial-of-service scenarios.
In response to these vulnerabilities, Paragon Software has released BioNTdrv.sys version 2.0.0 [2] [5] [7], urging users to update immediately. Additionally, Microsoft has implemented measures to block the loading of vulnerable driver versions by adding them to the Windows Vulnerable Driver Blocklist, a feature that is enabled by default in Windows 11 [7]. This is crucial for preventing potential compromises on patched systems. Users and organizations are advised to update their software and monitor for unusual behavior [7], such as unauthorized privilege escalation [7], as the active exploitation of these vulnerabilities in ransomware campaigns underscores the urgency of addressing them to protect users and their systems.
Conclusion
The exploitation of vulnerabilities in the BioNTdrv.sys driver highlights the critical need for timely software updates and robust security measures. The release of version 2.0.0 by Paragon Software and Microsoft’s proactive blocking of vulnerable drivers are essential steps in mitigating these threats. Organizations must remain vigilant, ensuring their systems are updated and monitoring for any signs of compromise. The ongoing exploitation by ransomware groups underscores the importance of addressing these vulnerabilities promptly to safeguard systems and data from potential attacks.
References
[1] https://www.infosecurity-magazine.com/news/byovd-zero-day-paragon-partition/
[2] https://securityaffairs.com/174789/cyber-crime/ransomware-gangs-paragon-partition-manager-biontdrv-sys-driver-zero-day-attacks.html
[3] https://osintcorp.net/byovd-attacks-exploit-zero-day-in-paragon-partition-manager/
[4] https://cybersecuritynews.com/paragon-partition-manager-vulnerabilities/
[5] https://securityonline.info/cve-2025-0289-paragon-partition-manager-flaw-exploited-in-byovd-ransomware-attacks/
[6] https://cyberinsider.com/paragon-partition-manager-flaws-leveraged-in-ransomware-attacks/
[7] https://www.thaicert.or.th/en/2025/03/03/ransomware-groups-exploit-zero-day-vulnerability-in-paragon-partition-managers-biontdrv-sys-driver/
[8] https://kb.cert.org/vuls/id/726882
[9] https://www.channele2e.com/brief/paragon-partition-manager-driver-zero-day-leveraged-in-ransomware-attacks
