Cyber Blog

Hackers Leverage Privilege Escalation Flaw in Paragon Partition Manager

A zero-day vulnerability in a Microsoft-signed driver from Paragon Software is being actively exploited in ransomware attacks, according to a recent security advisory from CERT Coordination Center (CERT/CC).

Researchers discovered five vulnerabilities in the BioNTdrv.sys driver used by Paragon Partition Manager, a tool designed to optimize disk space and performance by managing hard drive partitions. One of these flaws has been exploited in “bring your own vulnerable driver” (BYOVD) attacks, a technique where threat actors deploy signed but vulnerable drivers to escalate privileges and evade detection.

Critical Vulnerability Enables Privilege Escalation

The most concerning flaw, tracked as CVE-2025-0289, allows insecure access to kernel resources, enabling attackers to escalate privileges or launch denial-of-service (DoS) attacks. Notably, this vulnerability can be exploited even if Paragon Partition Manager is not installed on the target system.

“Microsoft has observed threat actors exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve SYSTEM-level privilege escalation and execute further malicious code,” CERT/CC stated.

Both Paragon Software and Microsoft have taken action, with Paragon releasing a patched version of the driver and Microsoft blocking vulnerable versions via its Vulnerable Driver Blocklist.

Additional Vulnerabilities Identified

In addition to CVE-2025-0289, four other security flaws were found in the BioNTdrv.sys driver:

• CVE-2025-0288 – Arbitrary kernel memory vulnerability enabling privilege escalation.
• CVE-2025-0287 – Null pointer dereference vulnerability allowing privilege escalation.
• CVE-2025-0286 – Arbitrary kernel memory write flaw enabling execution of malicious code.
• CVE-2025-0285 – Arbitrary kernel memory mapping vulnerability leading to privilege escalation.

Microsoft was credited with discovering all five vulnerabilities.

Unidentified Ransomware Variant and Vendor Response

It remains unclear which ransomware variant has been using this exploit, and Microsoft has declined to provide further details on the ongoing attacks.

Meanwhile, Paragon acknowledged the security risks and released a driver update on Friday. However, their security advisory did not reference any CVEs or mention active exploitation, simply urging users to update their drivers to align with Microsoft’s security guidelines.

Mitigation and Recommendations

Users and organizations are strongly advised to update their Paragon drivers immediately and ensure Microsoft’s Vulnerable Driver Blocklist is enabled to block at-risk versions. Given the increasing use of BYOVD attacks in ransomware campaigns, security teams should monitor for unauthorized driver activity and implement zero-trust security measures to mitigate risks.