Microsoft reports active exploitation of Paragon Partition Manager flaws by ransomware gangs
Take action: First things first - the general advisory to all users - verify that Microsoft's Vulnerable Driver Blocklist is enabled on your systems (Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist). Then if you are using Paragon Hard Disk Manager, update it immediately since the old driver will be blocked.
Learn More
Microsoft has discovered five critical vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, with evidence that ransomware groups are actively exploiting one flaw (CVE-2025-0289) in zero-day attacks to elevate privileges to SYSTEM level on Windows systems.
The exploitation occurs through a technique known as "Bring Your Own Vulnerable Driver" (BYOVD), where attackers deploy the vulnerable kernel driver to bypass security protections.
Five vulnerabilities were identified by Microsoft:
- CVE-2025-0288 (CVSS score not calculated): Arbitrary kernel memory write caused by improper handling of the 'memmove' function, allowing attackers to write to kernel memory and escalate privileges.
- CVE-2025-0287 (CVSS score not calculated): Null pointer dereference from missing validation of a 'MasterLrp' structure in the input buffer, enabling arbitrary kernel code execution.
- CVE-2025-0286 (CVSS score not calculated): Arbitrary kernel memory write due to improper validation of user-supplied data lengths, permitting arbitrary code execution.
- CVE-2025-0285 (CVSS score not calculated): Arbitrary kernel memory mapping from failure to validate user-supplied data, enabling privilege escalation through kernel memory manipulation.
- CVE-2025-0289 (CVSS score not calculated): Insecure kernel resource access caused by failure to validate the 'MappedSystemVa' pointer before passing it to 'HalReturnToFirmware,' potentially compromising system resources.
The first four vulnerabilities affect Paragon Partition Manager versions 7.9.1 and earlier, while CVE-2025-0289 (the actively exploited flaw) impacts version 17 and older.
An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine. Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed.
The attack bypasses Windows security protections using a legitimately signed driver and works even on systems without Paragon Partition Manager installed.
Microsoft has confirmed that ransomware groups are actively exploiting CVE-2025-0289 in the wild, but have not disclosed which specific ransomware gangs are involved. Previous BYOVD attacks have been attributed to threat actors including Scattered Spider, Lazarus, BlackByte ransomware, and LockBit ransomware.
Users and organizations should take the following actions:
- Upgrade to the latest version of Paragon Partition Manager with BioNTdrv.sys version 2.0.0
- Verify that Microsoft's Vulnerable Driver Blocklist is enabled (Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist)
- Update Paragon Hard Disk Manager, which uses the same driver
Paragon Software has warned that users must upgrade Paragon Hard Disk Manager immediately, as Microsoft has begun blocking the vulnerable driver versions.
