Microsoft had found 5 Paragon Partition Supervisor BioNTdrv.sys driver flaws, with one utilized by ransomware gangs in zero-day assaults to achieve SYSTEM privileges in Home windows.
The susceptible drivers have been exploited in ‘Carry Your Personal Susceptible Driver’ (BYOVD) assaults the place menace actors drop the kernel driver on a focused system to raise privileges.
“An attacker with native entry to a tool can exploit these vulnerabilities to escalate privileges or trigger a denial-of-service (DoS) state of affairs on the sufferer’s machine,” explains a warning from CERT/CC.
“Moreover, because the assault includes a Microsoft-signed Driver, an attacker can leverage a Carry Your Personal Susceptible Driver (BYOVD) approach to take advantage of programs even when Paragon Partition Supervisor isn’t put in. “
As BioNTdrv.sys is a kernel-level driver, menace actors can exploit vulnerabilities to execute instructions with the identical privileges as the driving force, bypassing protections and safety software program.
Microsoft researchers found all 5 flaws, noting that one in every of them, CVE-2025-0289, is leveraged in assaults by ransomware teams. Nonetheless, the researchers didn’t disclose what ransomware gangs have been exploiting the flaw as a zero-day.
“Microsoft has noticed menace actors (TAs) exploiting this weak spot in BYOVD ransomware assaults, particularly utilizing CVE-2025-0289 to attain privilege escalation to SYSTEM stage, then execute additional malicious code,” reads the CERT/CC bulletin.
“These vulnerabilities have been patched by each Paragon Software program, and susceptible BioNTdrv.sys variations blocked by Microsoft’s Susceptible Driver Blocklist.”
The Paragon Partition Supervisor flaws found by Microsoft are:
- CVE-2025-0288 – Arbitrary kernel reminiscence write attributable to the improper dealing with of the ‘memmove’ operate, permitting attackers to jot down to kernel reminiscence and escalate privileges.
- CVE-2025-0287 – Null pointer dereference arising from a lacking validation of a ‘MasterLrp’ construction within the enter buffer, enabling the execution of arbitrary kernel code.
- CVE-2025-0286 – Arbitrary kernel reminiscence write attributable to the improper validation of user-supplied knowledge lengths, permitting attackers to execute arbitrary code.
- CVE-2025-0285 – Arbitrary kernel reminiscence mapping attributable to the failure to validate user-supplied knowledge, enabling privilege escalation by manipulating kernel reminiscence mappings.
- CVE-2025-0289 – Insecure kernel useful resource entry attributable to the failure to validate the ‘MappedSystemVa’ pointer earlier than passing it to ‘HalReturnToFirmware,’ resulting in potential compromise of system sources.
The primary 4 vulnerabilities impression Paragon Partition Supervisor variations 7.9.1 and former, whereas CVE-2025-0298, the actively exploited flaw, impacts model 17 and older.
Customers of the software program are advisable to improve to the newest model, which accommodates BioNTdrv.sys model 2.0.0, which addresses the entire talked about flaws.
Nonetheless, it is essential to notice that even customers who do not have Paragon Partition Supervisor put in will not be secure from assaults. BYOVD techniques do not depend on the software program being current on the goal’s machine.
As an alternative, menace actors embody the susceptible driver with their very own instruments, permitting them to load it into Home windows and escalate privileges.
Microsoft has up to date its ‘Susceptible Driver Blocklist’ to dam the driving force from loading in Home windows, so customers and organizations ought to confirm the safety system is lively.
You’ll be able to test if the blocklist is enabled by going to Settings → Privateness & safety → Home windows Safety → Machine safety → Core isolation → Microsoft Susceptible Driver Blocklist and ensuring the setting is enabled.
.jpg)
Supply: BleepingComputer
A warning on Paragon Software program’s web site additionally warns that customers should improve Paragon Exhausting Disk Supervisor by at this time, because it makes use of the identical driver, which can be blocked by Microsoft at this time.
Whereas it’s unclear what ransomware gangs are exploiting the Paragon flaw, BYOVD assaults have turn out to be more and more widespread amongst cybercriminals as they permit them to simply achieve SYSTEM privileges on Home windows units.
Menace actors recognized to be using BYOVD assaults embody Scattered Spider, Lazarus, BlackByte ransomware, LockBit ransomware, and plenty of extra.
Because of this, you will need to allow the Microsoft Susceptible Driver Blocklist function to forestall susceptible drivers from getting used in your Home windows units.
