Threat actors have been exploiting a security vulnerability in Paragon Partition Manager’s BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code.
The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC).
“These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability,” CERT/CC said.
In a hypothetical attack scenario, an adversary with local access to a Windows machine can exploit these shortcomings to escalate privileges or cause a denial-of-service (DoS) condition by taking advantage of the fact that “BioNTdrv.sys” is signed by Microsoft.
This could also pave the way for what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack on systems where the driver is not installed, thereby allowing the threat actors to obtain elevated privileges and execute malicious code.
The list of vulnerabilities, which impact BioNTdrv.sys versions 1.3.0 and 1.5.1, is as follows –
The vulnerabilities have since been addressed by Paragon Software with version 2.0.0 of the driver, with the susceptible version of the driver added to Microsoft’s driver blocklist.
The development comes days after Check Point revealed details of a large-scale malware campaign that leveraged another vulnerable Windows driver associated with Adlice’s product suite (“truesight.sys”) to bypass detection and deploy the Gh0st RAT malware.
