CVE-2025-0289
BioNTdrv.sys — Paragon Partition Manager driver exploited by ransomware gangs for SYSTEM escalation
Exploited in the Wild
Microsoft observed ransomware gangs exploiting this vulnerability for SYSTEM privilege escalation via BYOVD.
Summary
| Field | Value |
|---|---|
| Driver | BioNTdrv.sys (Paragon Hard Disk Manager / Partition Manager) |
| Vendor | Paragon Software |
| Vulnerability Class | Insecure Kernel Resource Access |
| Exploited ITW | Yes (ransomware) |
| Status | Blocklisted by Microsoft; fixed in BioNTdrv.sys v2.0.0 |
BYOVD Context
- Driver signing: Microsoft co-signed; loads even if Paragon software is not installed
- Vulnerable Driver Blocklist: Added to Microsoft's blocklist
- Related CVEs: CVE-2025-0285 (arb kernel write), CVE-2025-0286 (arb kernel write via unchecked memmove), CVE-2025-0287 (null pointer deref), CVE-2025-0288 (arb kernel write via user-supplied length)
Root Cause
BioNTdrv.sys (versions 1.3.0 and 1.5.1) exposes multiple IOCTL handlers with insufficient input validation. CVE-2025-0289 does not validate the MappedSystemVa pointer before passing it to HalReturnToFirmware, giving arbitrary kernel resource access. The related CVEs (0285, 0286, 0288) give arbitrary kernel memory writes via unchecked memmove operations with user-supplied data lengths.
The driver's Microsoft co-signature means it loads on any Windows system regardless of whether Paragon software is installed, making it an ideal BYOVD target.
Exploitation
Ransomware operators load the signed driver via BYOVD, write arbitrary kernel memory through the exposed IOCTLs, escalate to SYSTEM, then deploy encryption payloads.
Exploitation Primitive
Load co-signed BioNTdrv.sys via BYOVD
→ IOCTL with unchecked memmove (CVE-2025-0286/0288) → arbitrary kernel write
→ or: IOCTL with unvalidated MappedSystemVa (CVE-2025-0289) → kernel resource access
→ SYSTEM → ransomware deployment