VU#726882: Paragon Partition Manager contains five memory vulnerabilities within its BioNTdrv.sys driver that allow for privilege escalation and denial-of-service (DoS) attacks
Paragon Partition Manager's BioNTdrv.sys driver, versions prior to 2.0.0, contains five vulnerabilities that can be exploited by attackers with local access to a device to escalate privileges or cause a denial-of-service scenario. The vulnerabilities include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. These vulnerabilities can be exploited even if Paragon Partition Manager is not installed, using the Bring Your Own Vulnerable Driver technique. Microsoft has observed threat actors exploiting these vulnerabilities in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level. The vulnerabilities have been patched by Paragon Software and vulnerable BioNTdrv.sys versions have been blocked by Microsoft's Vulnerable Driver Blocklist. Paragon Partition Manager is a software tool that allows users to manage partitions on a hard drive, and the driver allows for low-level access to the hard drive with elevated privileges. The identified vulnerabilities are CVE-2025-0288, CVE-2025-0287, CVE-2025-0286, CVE-2025-0285, and CVE-2025-0289, which can allow attackers to execute arbitrary kernel code, write arbitrary kernel memory, and escalate privileges. To mitigate these vulnerabilities, users should update their Paragon Partition Manager installation to the latest version and ensure that the Vulnerable Driver Blocklist is enabled. Enterprise organizations should also ensure the blocklist is applied for their user base to prevent potential loading of the vulnerable driver.