Threat actors have been exploiting a security vulnerability in Paragon Partition Manager’s BioNTdrv.sys driver in ransomware attacks to gain elevated privileges and execute arbitrary code.
The zero-day flaw, identified as CVE-2025-0289, is one of five vulnerabilities discovered by Microsoft, as reported by the CERT Coordination Center (CERT/CC).
According to CERT/CC, these vulnerabilities include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.
In a potential attack scenario, an adversary with local access to a Windows machine can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) condition by taking advantage of the fact that “BioNTdrv.sys” is signed by Microsoft.
This could also enable a Bring Your Own Vulnerable Driver (BYOVD) attack on systems where the driver is not installed, allowing threat actors to obtain elevated privileges and execute malicious code.
The list of vulnerabilities, which affect BioNTdrv.sys versions 1.3.0 and 1.5.1, includes:
- CVE-2025-0285 – An arbitrary kernel memory mapping vulnerability in version 7.9.1, caused by a failure to validate user-supplied data lengths, which can be exploited to escalate privileges.
- CVE-2025-0286 – An arbitrary kernel memory write vulnerability in version 7.9.1, due to improper validation of user-supplied data lengths, which can allow attackers to execute arbitrary code on the victim’s machine.
- CVE-2025-0287 – A null pointer dereference vulnerability in version 7.9.1, caused by the absence of a valid MasterLrp structure in the input buffer, which can enable an attacker to execute arbitrary kernel code and escalate privileges.
- CVE-2025-0288 – An arbitrary kernel memory vulnerability in version 7.9.1, caused by the memmove function, which fails to sanitize user-controlled input, allowing an attacker to write arbitrary kernel memory and achieve privilege escalation.
- CVE-2025-0289 – An insecure kernel resource access vulnerability in version 17, caused by the failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allow attackers to compromise the affected service.
These vulnerabilities have been addressed by Paragon Software with the release of version 2.0.0 of the driver, and the susceptible version of the driver has been added to Microsoft’s driver blocklist.
This development comes after Check Point exposed a large-scale malware campaign that leveraged another vulnerable Windows driver associated with Adlice’s product suite (“truesight.sys”) to bypass detection and deploy the Gh0st RAT malware.
