Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.
"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," explains a warning from CERT/CC.
"Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. "
As BioNTdrv.sys is a kernel-level driver, threat actors can exploit vulnerabilities to execute commands with the same privileges as the driver, bypassing protections and security software.
Microsoft researchers discovered all five flaws, noting that one of them, CVE-2025-0289, is leveraged in attacks by ransomware groups. However, the researchers did not disclose what ransomware gangs were exploiting the flaw as a zero-day.
"Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code,"
reads the CERT/CC bulletin.
"These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft's Vulnerable Driver Blocklist."
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
