CVE-2025-0289: Paragon Partition Manager Flaw Exploited in BYOVD Ransomware Attacks

A cluster of critical vulnerabilities in Paragon Partition Manager’s BioNTdrv.sys driver has been actively exploited in ransomware attacks, leveraging the “Bring Your Own Vulnerable Driver” (BYOVD) technique to achieve SYSTEM-level privilege escalation, according to a recent CERT/CC vulnerability note.

Paragon Partition Manager, a tool for managing disk partitions, utilizes a kernel-level driver (BioNTdrv.sys) to perform privileged disk operations. However, versions prior to 2.0.0 contain the following five critical vulnerabilities:

1. CVE-2025-0288 – Arbitrary Kernel Memory Write: A flaw in the memmove function allows attackers to overwrite arbitrary kernel memory, leading to privilege escalation.
2. CVE-2025-0287 – Null Pointer Dereference: An improperly handled input structure enables execution of arbitrary kernel code.
3. CVE-2025-0286 – Arbitrary Kernel Memory Write: A failure to properly validate user-supplied data lengths allows for arbitrary code execution.
4. CVE-2025-0285 – Arbitrary Kernel Memory Mapping: Attackers can exploit this flaw to gain direct access to kernel memory and escalate privileges.
5. CVE-2025-0289 – Insecure Kernel Resource Access: A missing validation check on the MappedSystemVa pointer enables attackers to compromise the service.

According to Microsoft researchers, CVE-2025-0289 has been actively exploited by ransomware threat actors: “Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code.”

Even if Paragon Partition Manager is not installed, attackers can manually load vulnerable driver versions to exploit systems using BYOVD techniques.

Attackers can leverage these vulnerabilities to:

• Escalate privileges to SYSTEM level, bypassing administrator restrictions.
• Execute arbitrary code to install malware or ransomware payloads.
• Trigger system crashes (BSOD), leading to DoS attacks.

As BYOVD attacks continue to rise, the exploitation of BioNTdrv.sys follows a growing trend where attackers abuse Microsoft-signed drivers for malicious purposes.

Paragon Software has released BioNTdrv.sys version 2.0.0, which addresses these vulnerabilities. Users should update to the latest version immediately to prevent exploitation.

Microsoft has added BioNTdrv.sys versions 1.3.0 and 1.5.1 to the Windows Vulnerable Driver Blocklist, preventing attackers from loading them on patched systems.

Related Posts:

• Unpacking Kasseika: The Latest Ransomware to Exploit BYOVD Tactics
• New VMware Findings: Kernel Drivers’ Vulnerabilities Risk Total Device Takeover