Risk actors have been exploiting a security vulnerability in Paragon Partition Supervisor’s BioNTdrv.sys driver in ransomware assaults to escalate privileges and execute arbitrary code.
The zero-day flaw (CVE-2025-0289) is a part of a set of 5 vulnerabilities that was found by Microsoft, in accordance with the CERT Coordination Heart (CERT/CC).
“These embody arbitrary kernel reminiscence mapping and write vulnerabilities, a null pointer dereference, insecure kernel useful resource entry, and an arbitrary reminiscence transfer vulnerability,” CERT/CC mentioned.
In a hypothetical assault situation, an adversary with native entry to a Home windows machine can exploit these shortcomings to escalate privileges or trigger a denial-of-service (DoS) situation by making the most of the truth that “BioNTdrv.sys” is signed by Microsoft.
This might additionally pave the best way for what’s known as a Convey Your Personal Susceptible Driver (BYOVD) assault on methods the place the driving force just isn’t put in, thereby permitting the menace actors to acquire elevated privileges and execute malicious code.
The record of vulnerabilities, which influence BioNTdrv.sys variations 1.3.0 and 1.5.1, is as follows –
- CVE-2025-0285 – An arbitrary kernel reminiscence mapping vulnerability in model 7.9.1 brought on by a failure to validate user-supplied knowledge lengths. Attackers can exploit this flaw to escalate privileges.
- CVE-2025-0286 – An arbitrary kernel reminiscence write vulnerability in model 7.9.1 as a result of improper validation of user-supplied knowledge lengths. This flaw can enable attackers to execute arbitrary code on the sufferer’s machine.
- CVE-2025-0287 – A null pointer dereference vulnerability in model 7.9.1 brought on by the absence of a legitimate MasterLrp construction within the enter buffer. This enables an attacker to execute arbitrary kernel code, enabling privilege escalation.
- CVE-2025-0288 – An arbitrary kernel reminiscence vulnerability in model 7.9.1 brought on by the memmove perform, which fails to sanitize user-controlled enter. This enables an attacker to write down arbitrary kernel reminiscence and obtain privilege escalation.
- CVE-2025-0289 – An insecure kernel useful resource entry vulnerability in model 17 brought on by failure to validate the MappedSystemVa pointer earlier than passing it to HalReturnToFirmware. This enables attackers to compromise the affected service.
The vulnerabilities have since been addressed by Paragon Software program with model 2.0.0 of the driving force, with the prone model of the driving force added to Microsoft’s driver blocklist.
The event comes days after Verify Level revealed particulars of a large-scale malware marketing campaign that leveraged one other weak Home windows driver related to Adlice’s product suite (“truesight.sys”) to bypass detection and deploy the Gh0st RAT malware.
