CVE-2025-0288
BioNTdrv.sys -- arbitrary kernel memory write via memmove allows elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Partition Manager) |
| Vulnerability Class | Arbitrary Kernel Write |
| Exploited ITW | No |
| Vendor | Paragon Software |
Root Cause
The Paragon Partition Manager driver exposes an IOCTL handler that internally calls memmove to copy data within kernel memory. The problem is straightforward: the source address, destination address, and copy length all come directly from user-supplied IOCTL input, and the driver validates none of them.
This gives any process that can open the BioNTdrv device a direct arbitrary kernel memory write primitive. No heap grooming, no race conditions, no corruption of adjacent objects. The attacker simply tells the driver exactly where to write, what to write, and how much to write.
CVE-2025-0288 is one of five vulnerabilities in BioNTdrv.sys (alongside CVE-2025-0285, CVE-2025-0286, CVE-2025-0287, and CVE-2025-0289). Three of the five give arbitrary kernel writes through similar unvalidated memory operations, suggesting the driver's IOCTL dispatch was written as a thin wrapper around raw kernel operations with no security boundary.
Exploitation
The attack path is about as direct as kernel exploitation gets. An attacker opens a handle to the BioNTdrv device and sends a single IOCTL with controlled memmove parameters. The kernel copies attacker-supplied data to an attacker-chosen kernel address.
From there, the standard escalation playbook applies: overwrite the current process's token pointer with the SYSTEM token, or modify a process's privilege bitmap. Since the write primitive is fully controlled (no alignment constraints, no size limits), the attacker has significant flexibility in choosing which kernel data structure to target.
Exploitation Primitive
Open BioNTdrv device handle
--> IOCTL with attacker-controlled src/dst/size
--> memmove executes in kernel context
--> arbitrary kernel write --> token manipulation --> SYSTEM
Broader Significance
CVE-2025-0288 is a textbook case of why IOCTL input validation matters. The memmove call itself is not the vulnerability. The vulnerability is that user-mode input flows directly into kernel memory operation parameters without any sanitization. This pattern recurs across third-party drivers because developers treat IOCTL handlers as internal plumbing rather than trust boundaries. When the driver carries a Microsoft co-signature, it becomes a portable privilege escalation tool that loads on any Windows system.