84/68 Monday, March 3, 2025
Microsoft has issued a warning that ransomware groups are actively exploiting a zero-day vulnerability in the BioNTdrv.sys driver of Paragon Partition Manager to attack systems and escalate privileges to SYSTEM level. The vulnerability, identified as CVE-2025-0289, is one of five security flaws found in driver versions older than 2.0.0. Hackers are leveraging the BYOVD (Bring Your Own Vulnerable Driver) technique, which allows them to install and exploit a vulnerable driver to gain control over a system—even if the software is not installed on the targeted machine. The five identified vulnerabilities include:
- CVE-2025-0288 – Arbitrary kernel memory access vulnerability caused by an unfiltered input in the
memmovefunction, allowing attackers to write to kernel memory. - CVE-2025-0287 – Null Pointer Dereference vulnerability due to an invalid
MasterLrpstructure, which enables attackers to execute malicious code in the kernel. - CVE-2025-0286 – Arbitrary kernel memory write vulnerability resulting from improper length validation, potentially allowing execution of malicious code.
- CVE-2025-0285 – Arbitrary kernel memory mapping vulnerability, which can be exploited to escalate privileges.
- CVE-2025-0289 – Unsafe kernel resource access vulnerability, caused by the failure to validate the
MappedSystemVapointer before passing it toHalReturnToFirmware, potentially allowing attackers to compromise critical system services.
Paragon Software has released BioNTdrv.sys version 2.0.0 to patch all vulnerabilities. The company also recommends enabling the Windows Vulnerable Driver Blocklist to prevent older versions of the driver from being exploited. Windows 11 enables this feature by default. Users and organizations should update their software to the latest version and monitor their systems for unusual behavior, such as unauthorized privilege escalation.
