Threat actors exploit zero-day in Paragon Partition Manager in BYOVD attacks

Threat actors exploit zero-day in Paragon Partition Manager in BYOVD attacks

Ransomware gangs are exploiting a zero-day flaw in Paragon Partition Manager in "Bring Your Own Vulnerable Driver" (BYOVD) attacks.

The five vulnerabilities discovered by Microsoft researchers affect BioNTdrv.sys, a kernel-level driver used by the Paragon Partition Manager.

The flaw in question, CVE-2025-0289, has been leveraged by threat actors to gain SYSTEM privileges in Windows environments, enabling them to execute malicious commands with elevated access. At present, it’s not clear what ransomware operations are exploiting the zero-day flaw.

BYOVD attacks involve attackers dropping a vulnerable driver onto a target system in order to elevate their privileges, bypassing security measures and evading detection. In this case, attackers exploit the BioNTdrv.sys driver to escalate their privileges to SYSTEM level, allowing them to execute malicious code and potentially take full control of the compromised machine.

“An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine,” explained a CERT/CC warning. Since the vulnerable driver is signed by Microsoft, attackers can leverage the flaw to gain unauthorized access even if Paragon Partition Manager is not installed on the victim's machine.

The vulnerabilities affect Paragon Partition Manager versions 7.9.1 and older, as well as certain versions of the BioNTdrv.sys driver. Specifically, CVE-2025-0289, which is being exploited in active attacks, impacts version 17 and earlier. The remaining flaws affect earlier versions of the software.

Both Paragon Software and Microsoft have fixed the vulnerabilities. Paragon Software has released updates to patch the flaws, and Microsoft has added vulnerable versions of the BioNTdrv.sys driver to its Vulnerable Driver Blocklist, preventing them from being loaded onto affected systems.

Users of Paragon Partition Manager are strongly urged to upgrade to the latest version of the software, which includes an updated, secure version of BioNTdrv.sys (version 2.0.0) that addresses the reported flaws.

Back to the list

Latest Posts

12,000 API keys and passwords found in DeepSeek's training data

12,000 API keys and passwords found in DeepSeek's training data

In total, nearly 1,500 unique MailChimp keys were found hardcoded into HTML and JavaScript on front-end webpages.
3 March 2025
Trump administration to halt offensive cyber ops against Russia

Trump administration to halt offensive cyber ops against Russia

Defense Secretary Pete Hegseth has directed Cyber Command to halt any operations aimed at countering Russian cyber activities.
3 March 2025
Serbian activist's phone targeted with Cellebrite zero-day exploit

Serbian activist's phone targeted with Cellebrite zero-day exploit

The exploit is based on a vulnerability in Android’s USB drivers and was initially discovered in 2024.
3 March 2025
Popular Posts
Featured vulnerabilities
Security restrictions bypass in Unisoc chipsets
High Patched | 03 Mar, 2025
Multiple vulnerabilities in Qualcomm chipsets
Medium Patched | 03 Mar, 2025
Cross-site scripting in Essential WP Real Estate plugin for WordPress
Low Not Patched | 03 Mar, 2025
Cross-site scripting in Post Timeline plugin for WordPress
Low Patched | 03 Mar, 2025
Improper access control in Bulk Menu Edit plugin for WordPress
Medium Patched | 03 Mar, 2025