Ransomware Gangs Exploit Paragon Partition Manager BioNTdrv.sys Driver Zero-Day

Microsoft has issued a warning about a critical zero-day vulnerability in the Paragon Partition Manager BioNTdrv.sys driver, which is being actively exploited by ransomware gangs to gain SYSTEM-level access. The vulnerability was discovered by Microsoft researchers and affects multiple versions of the driver, including those available in Community and Commercial editions.

About Paragon Partition Manager

Paragon Partition Manager is a popular software tool used for managing hard drive partitions. It uses the BioNTdrv.sys driver to enable low-level access with elevated privileges for data management. The driver is a kernel-level component that allows attackers to manipulate system resources and potentially gain unauthorized access.

The Vulnerabilities

Microsoft researchers have identified five vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, including:

  • Arbitrary kernel memory mapping and write vulnerabilities
  • A null pointer dereference
  • Insecure kernel resource access
  • An arbitrary memory move vulnerability

The most critical vulnerability, CVE-2025-0289, allows attackers to gain SYSTEM-level access. This is a serious threat as it surpasses typical administrator permissions and enables attackers to manipulate system resources.

How Ransomware Gangs Are Exploiting the Vulnerability

Ransomware groups are exploiting the vulnerability by using device-specific Input/Output Control (IOCTL) calls to manipulate the driver. This can result in privilege escalation or system crashes, such as a Blue Screen of Death (BSOD).

Prevention and Patching

Paragon Software has released BioNTdrv.sys v2.0.0 to address the vulnerabilities. Microsoft recommends that users update Paragon Partition Manager and enable Windows' Vulnerable Driver Blocklist to prevent exploitation.

On Windows 11, the blocklist is active by default. Enterprises should apply the blocklist to prevent threat actors from exploiting older driver versions (1.3.0 & 1.5.1).

Conclusion

The exploitation of this zero-day vulnerability highlights the importance of keeping software up-to-date and patching vulnerable drivers. Users and organizations should take immediate action to update Paragon Partition Manager and enable the Vulnerable Driver Blocklist to prevent potential attacks.