Full Report
Threat actors have been exploiting a security vulnerability in Paragon Partition Manager's BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code. The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC). "These include arbitrary kernel memory mapping and
Analysis Summary
# Vulnerability: Multiple Privilege Escalation Flaws in Paragon Partition Manager Driver (BioNTdrv.sys) Exploited in Ransomware
## CVE Details
- CVE ID: CVE-2025-0285, CVE-2025-0286, CVE-2025-0287, CVE-2025-0288, CVE-2025-0289
- CVSS Score: Not explicitly provided (Severity implied as High due to active exploitation in ransomware)
- CWE: Various (Memory mapping, memory write, null pointer dereference, insecure resource access)
## Affected Systems
- Products: Paragon Partition Manager (Product Line Utilizing BioNTdrv.sys)
- Versions: BioNTdrv.sys versions 1.3.0 and 1.5.1 (Specific Paragon software versions referenced are 7.9.1 for CVE-2025-0285 through 0288, and version 17 for CVE-2025-0289)
- Configurations: Local access required on a Windows machine where the driver is installed.
## Vulnerability Description
Five related vulnerabilities were discovered in the `BioNTdrv.sys` driver used by Paragon Partition Manager. These flaws allow a local, unprivileged attacker to achieve high privileges by exploiting the driver's use of a Microsoft-signed binary. The issues include:
* **CVE-2025-0285:** Arbitrary kernel memory mapping due to failure to validate user-supplied data lengths.
* **CVE-2025-0286:** Arbitrary kernel memory write due to improper validation of user-supplied data lengths, allowing arbitrary code execution.
* **CVE-2025-0287:** Null pointer dereference causing arbitrary kernel code execution and privilege escalation.
* **CVE-2025-0288:** Arbitrary kernel memory write via the `memmove` function due to insufficient sanitization of user-controlled input.
* **CVE-2025-0289:** Insecure kernel resource access due to failure to validate the `MappedSystemVa` pointer before passing it to `HalReturnToFirmware`.
These vulnerabilities can be chained to escalate privileges or cause a Denial of Service (DoS). Furthermore, they can be used in Bring Your Own Vulnerable Driver (BYOVD) scenarios against systems where the driver is present but not actively used by the legitimate application.
## Exploitation
- Status: Exploited in the wild (Used in ransomware attacks)
- Complexity: Not explicitly stated, but exploitation in the wild suggests practical viability, likely medium to low complexity for privilege escalation.
- Attack Vector: Local (Requires local access to the machine)
## Impact
- Confidentiality: High (Privilege escalation allows access to sensitive kernel data/operations)
- Integrity: High (Arbitrary kernel code execution allows total system compromise)
- Availability: High (DoS condition possible)
## Remediation
### Patches
- Paragon Software addressed all reported issues with driver version **2.0.0** of the `BioNTdrv.sys` component across their Hard Disk Manager product line.
- Microsoft has added the susceptible versions of the driver to its driver blocklist.
### Workarounds
- Remove or uninstall Paragon Partition Manager software if immediate patching is not possible.
- Administrators should ensure Microsoft's recommended driver block rules are enforced to prevent the vulnerable driver from loading if possible.
## Detection
- Indicators of Compromise: Look for activity indicating kernel memory manipulation or sudden, unauthorized privilege escalation for local accounts.
- Detection methods and tools: Monitor system calls related to the `BioNTdrv.sys` driver for anomalous data lengths or input buffers being passed to sensitive kernel functions (`memmove`, etc.). Utilize endpoint detection and response (EDR) solutions capable of hooking and monitoring kernel driver activity.
## References
- Vendor Advisories: Paragon Software Security Patch information (Implied by mention of version 2.0.0 fix)
- Relevant links:
- certkb[.]cert[.]org/vuls/id/726882
- paragon-software[.]zendesk[.]com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys
- learn[.]microsoft[.]com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules