Ransomware gangs are using the BioNTdrv.sys driver of Paragon Partition Manager to escalate privileges even on systems without the software. Windows is now blocking the vulnerable driver, and Paragon urges users to update software to the latest version.
Microsoft has included Paragon Partition Manager's BioNTdrv.sys driver, versions prior to 2.0, to its Vulnerable Driver Blocklist. However, this security feature is not enabled by default on all systems. The software must be updated to continue to work.
The driver was found to contain five zero-day vulnerabilities that enable attackers with local access to a computer to escalate privileges or cause a denial-of-service (DoS) scenario. The flaws affect a wide range of Paragon’s software, including Hard Disk Manager, Partition Manager, Backup & Recovery (versions 15-17), Drive Copy, Disk Wiper, and Migrate OS to SSD.
Paragon develops a widely used software that helps manage computer storage drives.
The affected driver was Microsoft-signed, which allowed attackers to leverage it in Bring Your Own Vulnerable Driver (BYOVD) attacks to exploit systems even if the Partition Manager was not installed.
“Microsoft has observed threat actors exploiting this weakness in BYOVD ransomware attacks,” the CERT/CC, operated by Carnegie Mellon University, said in a vulnerability note.
For hackers, the most valuable flaw is an insecure kernel resource access vulnerability in the latest software versions, labeled CVE-2025-0289. This flaw allows attackers to compromise the affected service. It is caused by a failure to validate a certain pointer called MappedSystemVa before using it to make a call to the firmware.
The other four flaws enable attackers to write arbitrary kernel memory, execute arbitrary kernel code, and achieve privilege escalation.
Paragon Software has updated Partition Manager and released a new driver, BioNTdrv.sys version 2.0.0, which addresses the flaws.
The software without a new driver has stopped working and needs to be updated “in order to comply with changed Microsoft security guidelines and to exclude any security risk related to the presence of the old driver version,” Paragon said.
A fixed version (2.0.0) of the BioNTdrv.sys driver which is included in new program updates (17.45.0) of all current editions of Paragon Hard Disk Manager 17.
However, some older systems won’t accept the new driver.
“The fixed version of the BioNTdrv.sys driver cannot be installed under Windows 7-8.1 resp. Windows Server 20008 R2-2012 due to Microsoft's driver signature policy. (But these OS aren't safe anyway.)” Paragon noted.
Windows 11 has the Vulnerable Driver Blocklist enabled by default, and users should be protected from potential exploitation. However, Paragon urges them to “Improve Windows 11 security by downloading Security Update.”
Your email address will not be published. Required fields are markedmarked