Microsoft has identified five critical vulnerabilities in the BioNTdrv.sys driver of Paragon Partition Manager, which have been exploited by ransomware groups in zero-day attacks to gain SYSTEM privileges on Windows systems. These vulnerabilities are employed in “Bring Your Own Vulnerable Driver” (BYOVD) attacks, where attackers deploy a compromised kernel driver on target systems to elevate their privileges.
“An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim’s machine,” according to CERT/CC. This attack leverages a Microsoft-signed driver, allowing exploitation even if Paragon Partition Manager is not installed.
BioNTdrv.sys operates as a kernel-level driver, making it susceptible to exploitation by threat actors who can execute commands with elevated privileges, thereby bypassing security measures and software protections. Microsoft researchers discovered five distinct vulnerabilities within this driver. Among these, CVE-2025-0289 is actively exploited by ransomware groups. However, specific gangs exploiting this zero-day vulnerability have not been disclosed.
“Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks,” states the CERT/CC bulletin. Both Paragon Software and Microsoft have taken steps to address these vulnerabilities. Paragon Software has released patches for affected versions, and Microsoft has updated its Vulnerable Driver Blocklist to prevent the use of compromised BioNTdrv.sys versions.
Critical driver flaws prompt urgent updates and security enhancements
The vulnerabilities identified include arbitrary kernel memory mapping and write issues, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. These flaws affect versions prior to 2.0.0 of the driver. Users are being strongly advised to update Paragon Partition Manager to the latest version containing BioNTdrv.sys version 2.0.0 to mitigate these risks.
Even users without Paragon Partition Manager installed are at risk due to BYOVD tactics that do not require the software’s presence on a target machine. Instead, threat actors can include the vulnerable driver with their tools, allowing them to load it into Windows and escalate privileges.
Microsoft has updated its Vulnerable Driver Blocklist as part of its security measures to block compromised drivers from loading on Windows systems. Users and organisations should ensure this protection system is active. On Windows 11 devices, this blocklist is enabled by default, providing an additional layer of security against potential threats.
Additionally, Paragon Software advises upgrading Paragon Hard Disk Manager immediately due to its reliance on the same vulnerable driver. A warning on Paragon Software’s site emphasises that users must immediately upgrade, as the driver will be blocked by Microsoft.
While specific ransomware gangs exploiting this flaw remain unidentified, BYOVD attacks are increasingly popular among cybercriminals for gaining SYSTEM privileges on Windows devices. Notable groups employing BYOVD tactics include Scattered Spider, BlackByte ransomware, Lazarus, LockBit ransomware, among others. To prevent vulnerable drivers from being used on Windows devices, enabling Microsoft’s Vulnerable Driver Blocklist feature is crucial for maintaining system integrity and security.
Read more: US, UK, and Australia sanction Zservers for supporting LockBit ransomware operations
