Menace actors have been exploiting a safety vulnerability in Paragon Partition Supervisor’s BioNTdrv.sys driver in ransomware assaults to escalate privileges and execute arbitrary code.
The zero-day flaw (CVE-2025-0289) is a part of a set of 5 vulnerabilities that was found by Microsoft, based on the CERT Coordination Middle (CERT/CC).
“These embody arbitrary kernel reminiscence mapping and write vulnerabilities, a null pointer dereference, insecure kernel useful resource entry, and an arbitrary reminiscence transfer vulnerability,” CERT/CC stated.
In a hypothetical assault state of affairs, an adversary with native entry to a Home windows machine can exploit these shortcomings to escalate privileges or trigger a denial-of-service (DoS) situation by benefiting from the truth that “BioNTdrv.sys” is signed by Microsoft.
This might additionally pave the best way for what’s referred to as a Convey Your Personal Weak Driver (BYOVD) assault on programs the place the motive force isn’t put in, thereby permitting the risk actors to acquire elevated privileges and execute malicious code.
The checklist of vulnerabilities, which impression BioNTdrv.sys variations 1.3.0 and 1.5.1, is as follows –
- CVE-2025-0285 – An arbitrary kernel reminiscence mapping vulnerability in model 7.9.1 attributable to a failure to validate user-supplied information lengths. Attackers can exploit this flaw to escalate privileges.
- CVE-2025-0286 – An arbitrary kernel reminiscence write vulnerability in model 7.9.1 as a result of improper validation of user-supplied information lengths. This flaw can enable attackers to execute arbitrary code on the sufferer’s machine.
- CVE-2025-0287 – A null pointer dereference vulnerability in model 7.9.1 attributable to the absence of a legitimate MasterLrp construction within the enter buffer. This enables an attacker to execute arbitrary kernel code, enabling privilege escalation.
- CVE-2025-0288 – An arbitrary kernel reminiscence vulnerability in model 7.9.1 attributable to the memmove perform, which fails to sanitize user-controlled enter. This enables an attacker to write down arbitrary kernel reminiscence and obtain privilege escalation.
- CVE-2025-0289 – An insecure kernel useful resource entry vulnerability in model 17 attributable to failure to validate the MappedSystemVa pointer earlier than passing it to HalReturnToFirmware. This enables attackers to compromise the affected service.
The vulnerabilities have since been addressed by Paragon Software program with model 2.0.0 of the motive force, with the prone model of the motive force added to Microsoft’s driver blocklist.
The event comes days after Examine Level revealed particulars of a large-scale malware marketing campaign that leveraged one other susceptible Home windows driver related to Adlice’s product suite (“truesight.sys”) to bypass detection and deploy the Gh0st RAT malware.