A series of critical vulnerabilities in Paragon Software’s Hard Disk Manager (HDM) product line, specifically within its BioNTdrv.sys kernel-level driver, are being actively exploited by ransomware groups to escalate privileges and execute malicious code on Windows systems.
The flaws, tracked as CVE-2025-0285 to CVE-2025-0289, enable attackers to manipulate kernel memory, dereference null pointers, and bypass security controls, even on devices where Paragon software is not installed.
Technical Breakdown of Vulnerabilities
The BioNTdrv.sys driver, integral to Paragon’s disk management tools, contains five memory corruption flaws discovered by Microsoft researchers.
These include:
- CVE-2025-0288: Arbitrary kernel memory write via improper handling of the
memmovefunction, allowing privilege escalation. - CVE-2025-0287: Null pointer dereference due to missing validation of the
MasterLrpstructure in input buffers, enabling arbitrary kernel code execution. - CVE-2025-0286: Arbitrary kernel memory write via unvalidated user-supplied data lengths.
- CVE-2025-0285: Arbitrary kernel memory mapping due to insufficient input validation, facilitating privilege escalation.
- CVE-2025-0289: Insecure kernel resource access caused by unvalidated
MappedSystemVapointers passed toHalReturnToFirmware, actively exploited ransomware campaigns.
Attackers leverage Bring Your Own Vulnerable Driver (BYOVD) tactics to deploy the Microsoft-signed driver, bypassing detection and gaining SYSTEM-level privileges.
This technique allows ransomware operators to terminate security processes, disable defenses, and deploy payloads.
Impact and Exploitation
Microsoft confirmed observing CVE-2025-0289 in ransomware attacks, where threat actors combine the vulnerable driver with malicious code to hijack systems.
Local access is sufficient to trigger denial-of-service (DoS) conditions, such as crashes (e.g., Blue Screen of Death), or escalate privileges for lateral movement.
The driver’s kernel-level access permits direct manipulation of hardware resources, making it a high-value target for advanced adversaries.
Mitigation and Patching
Paragon Software released BioNTdrv.sys version 2.0.0 in updates for its Hard Disk Manager line (version 17.45.0+), which restricts IOCTL commands and enforces SDDL permissions to limit driver access to administrators.
Additionally, Microsoft added vulnerable driver versions to its Vulnerable Driver Blocklist, enabled by default on Windows 11.
Organizations must:
- Update Paragon software immediately via the security patch.
- Verify Blocklist activation under Windows Security → Device Security → Core Isolation.
- Monitor for unauthorized privilege escalation attempts, particularly in environments with outdated Paragon tools.
Ongoing Risks and Recommendations
While patches mitigate the immediate threat, systems running legacy Windows versions (e.g., Windows 7/8.1) remain vulnerable due to incompatible driver signatures.
Cybersecurity experts urge enterprises to prioritize patch deployment and enforce strict endpoint monitoring to counter BYOVD tactics, which remain a staple in ransomware operations.
The exploitation of these flaws underscores the risks posed by third-party kernel drivers and the critical need for robust vulnerability management in increasingly complex IT ecosystems.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaws, tracked as CVE-2025-0285 to CVE-2025-0289, enable attackers to manipulate kernel memory, dereference null pointers.){kind=link}