Security researchers at Microsoft have uncovered five critical vulnerabilities in Paragon Partition Manager’s BioNTdrv.sys driver, versions prior to 2.0.0.
These flaws, identified as CVE-2025-0285 through CVE-2025-0289, allow attackers with local access to escalate privileges to SYSTEM level or cause denial-of-service (DoS) scenarios on affected systems.
The vulnerabilities include arbitrary kernel memory mapping and write issues, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.
Notably, CVE-2025-0289, affecting version 17 of the software, has been observed being actively exploited by ransomware groups in the wild.
Exploitation Techniques and Implications
What makes these vulnerabilities particularly concerning is their potential for exploitation through the “Bring Your Own Vulnerable Driver” (BYOVD) technique.
According to the researchers, this method allows attackers to leverage the Microsoft-signed driver to compromise systems even if Paragon Partition Manager is not installed on the target machine.
The BYOVD approach has gained popularity among cybercriminals, including ransomware gangs such as Scattered Spider, Lazarus, BlackByte, and LockBit.
By dropping the vulnerable kernel driver on a targeted system, attackers can elevate privileges and bypass security protections, making it an attractive vector for sophisticated attacks.
Mitigation and Vendor Response
Paragon Software has addressed these vulnerabilities by releasing an updated driver, BioNTdrv.sys version 2.0.0, for all products in their Hard Disk Manager family, including Partition Manager version 17.45.0 and newer.
The company has also made available a standalone security patch for 64-bit versions of Windows 10, Windows 11, and Windows Server 2016/2019/2022/2025.
Microsoft has taken steps to protect users by updating its Vulnerable Driver Blocklist to prevent the loading of affected BioNTdrv.sys versions in Windows.
Users and organizations are strongly advised to verify that this protection system is active on their devices.
As these vulnerabilities continue to pose a significant threat, particularly in the context of ransomware attacks, it is crucial for users of Paragon Partition Manager and related products to update their software immediately.
Additionally, all Windows users should ensure that the Microsoft Vulnerable Driver Blocklist feature is enabled to mitigate potential BYOVD attacks leveraging this and other vulnerable drivers.
