Security leak in Paragon Partition Manager driver is being abused

Attackers are abusing a security vulnerability in the "BioNTdrv.sys" driver of Paragon's Partition Manager to gain higher rights in the system. Paragon is responding with updated software. Since the driver comes with a proper Microsoft certificate, malicious actors can simply install it themselves on Windows computers without any additional Paragon software. Microsoft has therefore updated the block list of vulnerable drivers to prevent the loading of vulnerable versions.

The CERT points out the vulnerabilities in a security bulletin. In the driver "BioNTdrv.sys" prior to the current version 2.0.0, in particular versions 1.3.0 and 1.5.1 from Paragon's Partition Manager 7.9.1 and 17, there are a total of five vulnerabilities. The driver is used for low-level access to drives with elevated rights in the kernel context in order to access and manage data. Both the free community editions and the commercial version of the software are affected.

Five vulnerabilities, but in different versions

According to CERT, Microsoft has discovered four security vulnerabilities in "BioNTdrv.sys" in Paragon Partition Manager 7.9.1 and one in the version from Paragon Partition Manager 17. The vulnerabilities allow attackers to gain SYSTEM privileges that exceed those of Administrator. The driver could be manipulated by malicious actors with IOCTLs, which could result in elevated privileges or system crashes – such as Blue Screen of Death, BSOD –. Even if the Paragon software is not installed, they can simply bring the driver with them to compromise a machine, also known as Bring Your Own Vulnerable Driver (BYOVD).

And this is exactly what Microsoft has observed, according to the announcement. In ransomware attacks, the perpetrators have brought version 1.3.0 of "BioNTdrv.sys" to escalate their privileges in the system and execute malicious code.

The five vulnerabilities have received CVE entries, but these are not yet public. Microsoft has reported four leaks in version 7.9.1 of Paragon Partition Manager: The driver does not check user-passed data in a memmove function, allowing attackers to write to kernel memory at will and gain elevated privileges (CVE-2025-0288). Null pointer dereferencing allows the execution of arbitrary kernel code, which can also be used for privilege escalation (CVE-2025-0287). Arbitrary write access to kernel memory due to insufficient length checks of user-passed data allows attackers to execute arbitrary code (CVE-2025-0286). In addition, a similar vulnerability in kernel memory mapping can lead to the escalation of privileges for attackers (CVE-2025-0285).

Only in version 17 of the software does the driver potentially contain the error that when a "MappedSystemVa" pointer is passed, no check is performed before it is passed to "HalReturnToFirmware". This allows attackers to compromise the service (CVE-2025-0289).

Update now and enable BYOVD database from Microsoft

Paragon has released updated versions of Paragon Partition Manager that include the driver "BioNTdrv.sys" in the no longer vulnerable version 2.0.0. Therefore, admins and IT managers as well as end users who have installed the Paragon software should apply the updates to the new versions without delay. Under Windows 11, the list of blocked vulnerable drivers is active by default; under Windows 10, it must be activated manually in the Windows security settings. Microsoft has moved the driver to this list; however, the CERT does not discuss whether it has already been distributed in the update from the January update preview and with the February updates for Windows, which explicitly contain an update of the BYOVD block lists.

(dmk)