Recent investigations have unveiled that cybercriminals have exploited a critical vulnerability in the BioNTdrv.sys driver of Paragon Partition Manager, leveraging it in ransomware attacks to escalate privileges and execute unauthorized code. This significant zero-day vulnerability, classified as CVE-2025-0289, is part of a broader set of five vulnerabilities identified by Microsoft and reported to the CERT Coordination Center (CERT/CC).
According to CERT/CC, the vulnerabilities span several categories: arbitrary kernel memory mapping and writing vulnerabilities, a null pointer dereference, insecure access to kernel resources, and an arbitrary memory move vulnerability. The BioNTdrv.sys driver, signed by Microsoft, offers a potential attack vector for threat actors who may gain local access to a Windows system, allowing them to escalate privileges or induce a denial-of-service (DoS) condition.
In a scenario where an attacker can exploit these vulnerabilities, they could execute a Bring Your Own Vulnerable Driver (BYOVD) attack on systems lacking the driver. This method enables them to obtain elevated privileges and deploy malicious code, further endangering the security of the affected systems. The vulnerabilities affect specific versions of BioNTdrv.sys, particularly 1.3.0 and 1.5.1, which could be targeted during such attacks.
The vulnerabilities include CVE-2025-0285, where the failure to validate user input data lengths allows for arbitrary kernel memory mapping; CVE-2025-0286, which facilitates arbitrary kernel memory writing; CVE-2025-0287, a null pointer dereference issue; CVE-2025-0288, arising from a lack of proper sanitization of user input during memory operations; and CVE-2025-0289, which involves insecure resource access. Each of these vulnerabilities introduces substantial risks that could be exploited by adversaries.
Following these discoveries, Paragon Software has addressed the vulnerabilities with a security patch in version 2.0.0 of the driver. In addition, the affected driver version has been added to Microsoft’s driver blocklist, enhancing protective measures for users. This development coincides with other revelations from Check Point, which recently highlighted a large-scale malware campaign employing a different vulnerable Windows driver to bypass detection and deploy the Gh0st RAT malware.
As organizations strive to improve their cybersecurity posture, it is imperative to understand the techniques utilized in these types of attacks. Possible MITRE ATT&CK tactics relevant to this incident include initial access through exploitation of software vulnerabilities, followed by privilege escalation to gain broader system control. Recognizing these vulnerabilities and implementing timely patching is crucial in defending against such threats.
Cybersecurity incidents are increasingly frequent, affecting various sectors. Business owners must remain vigilant and proactive in reinforcing their defenses to mitigate risks posed by emerging threats. By staying informed and adopting comprehensive security strategies, organizations can better protect themselves in an ever-evolving cyber landscape.
