CVE-2025-0285
BioNTdrv.sys — arbitrary kernel memory mapping allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Partition Manager) |
| Vulnerability Class | Arbitrary Memory Mapping |
| Exploited ITW | No |
| Vendor | Paragon Software |
Root Cause
The Paragon Partition Manager driver exposes an IOCTL that maps arbitrary kernel memory to user mode with no validation. Any user-mode process can open the device and request memory mappings. One of five vulnerabilities in BioNTdrv.sys (alongside CVE-2025-0286, CVE-2025-0287, CVE-2025-0288, CVE-2025-0289).
Exploitation
The attacker opens the BioNTdrv device and sends IOCTLs to map arbitrary kernel memory. Direct kernel memory R/W provides full kernel compromise.
Exploitation Primitive
Open device handle → memory mapping IOCTL
→ arbitrary kernel memory R/W → SYSTEM