Menace actors have been exploiting a safety vulnerability in Paragon Partition Supervisor’s BioNTdrv.sys driver in ransomware assaults to escalate privileges and execute arbitrary code.
The zero-day flaw (CVE-2025-0289) is a part of a set of 5 vulnerabilities that was found by Microsoft, in response to the CERT Coordination Heart (CERT/CC).
“These embrace arbitrary kernel reminiscence mapping and write vulnerabilities, a null pointer dereference, insecure kernel useful resource entry, and an arbitrary reminiscence transfer vulnerability,” CERT/CC said.
In a hypothetical assault situation, an adversary with native entry to a Home windows machine can exploit these shortcomings to escalate privileges or trigger a denial-of-service (DoS) situation by making the most of the truth that “BioNTdrv.sys” is signed by Microsoft.
This might additionally pave the best way for what’s referred to as a Convey Your Personal Weak Driver (BYOVD) assault on programs the place the motive force just isn’t put in, thereby permitting the menace actors to acquire elevated privileges and execute malicious code.
The listing of vulnerabilities, which influence BioNTdrv.sys variations 1.3.0 and 1.5.1, is as follows –
- CVE-2025-0285 – An arbitrary kernel reminiscence mapping vulnerability in model 7.9.1 attributable to a failure to validate user-supplied knowledge lengths. Attackers can exploit this flaw to escalate privileges.
- CVE-2025-0286 – An arbitrary kernel reminiscence write vulnerability in model 7.9.1 as a consequence of improper validation of user-supplied knowledge lengths. This flaw can enable attackers to execute arbitrary code on the sufferer’s machine.
- CVE-2025-0287 – A null pointer dereference vulnerability in model 7.9.1 attributable to the absence of a legitimate MasterLrp construction within the enter buffer. This permits an attacker to execute arbitrary kernel code, enabling privilege escalation.
- CVE-2025-0288 – An arbitrary kernel reminiscence vulnerability in model 7.9.1 attributable to the memmove operate, which fails to sanitize user-controlled enter. This permits an attacker to jot down arbitrary kernel reminiscence and obtain privilege escalation.
- CVE-2025-0289 – An insecure kernel useful resource entry vulnerability in model 17 attributable to failure to validate the MappedSystemVa pointer earlier than passing it to HalReturnToFirmware. This permits attackers to compromise the affected service.
The vulnerabilities have since been addressed by Paragon Software program with model 2.0.0 of the motive force, with the prone model of the motive force added to Microsoft’s driver blocklist.
The event comes days after Verify Level revealed particulars of a large-scale malware marketing campaign that leveraged one other susceptible Home windows driver related to Adlice’s product suite (“truesight.sys”) to bypass detection and deploy the Gh0st RAT malware.
