Five critical memory vulnerabilities in Paragon Partition Manager’s BioNTdrv.sys driver have been discovered, allowing attackers to escalate privileges and cause denial-of-service conditions on affected systems.
The vulnerabilities, identified in versions prior to 2.0.0, were officially disclosed on February 28, 2025, by the CERT Coordination Center, following reports from Microsoft about active exploitation in ransomware campaigns.
The discovered flaws include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference issue, insecure kernel resource access, and an arbitrary memory move vulnerability.
These security issues have been assigned five distinct CVE identifiers: CVE-2025-0285, CVE-2025-0286, CVE-2025-0287, CVE-2025-0288, and CVE-2025-0289.
Here the security analysts at Carnegie Mellon University noted that the most concerning aspect of these vulnerabilities is that they can be exploited even if Paragon Partition Manager isn’t installed on the target system, through a technique known as Bring Your Own Vulnerable Driver (BYOVD).
Security researchers have detected that CVE-2025-0286 represents an arbitrary kernel memory write vulnerability in version 7.9.1, which occurs due to improper validation of user-supplied data lengths.
This allows attackers to write to arbitrary locations in kernel memory, potentially compromising the entire system. Similarly, CVE-2025-0289 involves insecure kernel resource access in version 17, caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware, effectively allowing attackers to compromise the affected service.
Microsoft has observed threat actors actively exploiting these vulnerabilities in ransomware attacks. Specifically, attackers have been leveraging CVE-2025-0289 to achieve privilege escalation to SYSTEM level, which then enables them to execute additional malicious code with elevated permissions.
This exploitation pattern demonstrates how driver vulnerabilities can serve as an entry point for sophisticated attack chains.
Mitigation and Protection Measures
Paragon Software has responded to these security concerns by releasing an updated driver, BioNTdrv.sys version 2.0.0, which addresses all five vulnerabilities.
Users of Paragon Partition Manager should immediately update their software to the latest version to protect against potential attacks. For Windows users, especially those on Windows 11 where it’s enabled by default, verifying that the Vulnerable Driver Blocklist is active provides an additional layer of protection.
This blocklist prevents the loading of known vulnerable drivers, including the affected versions of BioNTdrv.sys (1.3.0 and 1.5.1).
Enterprise organizations face particular risks from these vulnerabilities, as ransomware operators have demonstrated the capability to deploy these exploits at scale.
Security administrators should prioritize applying the driver blocklist across their environments and implement comprehensive endpoint monitoring to detect attempts to load vulnerable drivers.
