Security researchers have identified five vulnerabilities in the BioNTdrv.sys driver of Paragon Partition Manager, allowing attackers to escalate privileges or cause denial-of-service (DoS) attacks.
Paragon Partition Manager, developed by Paragon Software, is a widely used disk partitioning tool available in Community and Commercial editions. It provides users with capabilities such as resizing, copying, and managing disk partitions. Its kernel-level driver, BioNTdrv.sys, grants low-level disk access, making it a critical component of the software but also an attractive attack surface for cybercriminals.
“Bring your own” Paragon Partition Manager
The flaws, affecting versions prior to 2.0.0, can be exploited through the Bring Your Own Vulnerable Driver (BYOVD) technique, even if Paragon Partition Manager is not installed. Microsoft has observed threat actors exploiting CVE-2025-0289 in ransomware campaigns.
The vulnerabilities were identified by Microsoft researchers, who analyzed Paragon Partition Manager's kernel-level driver, BioNTdrv.sys. The software, which allows users to manage disk partitions, requires elevated privileges to function, making its driver a prime target for exploitation.
Microsoft found four vulnerabilities in version 7.9.1 and one additional issue affecting version 17. The affected driver versions 1.3.0 and 1.5.1 contain flaws that allow attackers to manipulate system memory through malformed Input/Output Control (IOCTL) calls, leading to privilege escalation or system crashes. Notably, attackers can exploit these weaknesses even on systems where Paragon Partition Manager is not installed by manually deploying a vulnerable version of BioNTdrv.sys—a hallmark of BYOVD attacks.
The five documented vulnerabilities are:
- CVE-2025-0288 – Arbitrary kernel memory write due to improper input sanitization in the memmove function. Enables privilege escalation.
- CVE-2025-0287 – Null pointer dereference caused by the absence of a valid MasterLrp structure in the input buffer. Can lead to arbitrary kernel code execution.
- CVE-2025-0286 – Arbitrary kernel memory write vulnerability due to insufficient validation of user-supplied data lengths, allowing code execution.
- CVE-2025-0285 – Arbitrary kernel memory mapping flaw caused by failure to validate user data lengths, enabling privilege escalation.
- CVE-2025-0289 – Insecure kernel resource access, where failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware leads to SYSTEM-level compromise. This vulnerability has been actively exploited in ransomware attacks.
Microsoft has confirmed active exploitation of CVE-2025-0289 in ransomware attacks. Threat actors use the BYOVD technique to load vulnerable versions of BioNTdrv.sys, escalate privileges to SYSTEM level, and then execute further malicious code, potentially disabling security defenses before deploying ransomware payloads.
Defense recommendations
To protect against these vulnerabilities, users should take the following actions:
- Update Paragon Partition Manager to the latest version (BioNTdrv.sys 2.0.0), which patches all five vulnerabilities.
- Enable the Microsoft Vulnerable Driver Blocklist, which now includes BioNTdrv.sys versions 1.3.0 and 1.5.1, preventing attackers from loading the flawed driver.
- Enterprise administrators should ensure Windows Defender Application Control (WDAC) or Hypervisor-Protected Code Integrity (HVCI) is enabled to prevent BYOVD attacks.
- Monitor for suspicious driver installations, especially if Paragon Partition Manager is not installed on a system, as this may indicate a BYOVD attack.
On Windows 11, the Vulnerable Driver Blocklist is enabled by default. Users can verify this setting in Windows Security settings.
Leave a Reply