Ethical Hacking News
Ransomware gangs have taken advantage of a critical zero-day flaw in Paragon Partition Manager's BioNTdrv.sys driver to gain SYSTEM-level access on vulnerable systems. Microsoft has patched the vulnerability, but users are advised to update their software and enable Windows' Vulnerable Driver Blocklist to mitigate the risks associated with this critical security threat.
The BioNTdrv.sys component in Paragon Partition Manager has been exploited by ransomware gangs due to a critical zero-day flaw (CVE-2025-0289) that allows attackers to gain SYSTEM-level access. The vulnerability is due to a kernel-level architecture of the driver, making it susceptible to exploitation by malicious actors seeking to execute malicious code on vulnerable systems. Microsoft discovered five vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, including arbitrary kernel memory mapping and write vulnerabilities, null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. Ransomware groups were exploiting the CVE-2025-0289 vulnerability to gain SYSTEM-level access on vulnerable systems, using it in zero-day attacks. Paragon Software has patched the flaw, but users are advised to update to version 2.0.0 or later to avoid potential exploitation. Enabling Windows' Vulnerable Driver Blocklist and keeping drivers up-to-date can help mitigate risks associated with this driver.
Paragon Partition Manager, a widely used partition management driver for Windows systems, has been exploited by ransomware gangs due to a critical zero-day flaw in its BioNTdrv.sys component. This vulnerability, identified as CVE-2025-0289, allows attackers to gain SYSTEM-level access, surpassing typical administrator permissions.
According to Microsoft researchers, the BioNTdrv.sys driver is used to manage hard drive partitions and provides low-level access with elevated privileges for data management. The driver's kernel-level architecture makes it susceptible to exploitation by attackers seeking to execute malicious code on vulnerable systems.
Microsoft discovered five vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, versions before 2.0.0. These flaws include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.
The researchers found that ransomware groups were exploiting the CVE-2025-0289 vulnerability to gain SYSTEM-level access on vulnerable systems. Microsoft reported that this flaw was actively exploited by these malicious actors in zero-day attacks.
Paragon Software has patched the flaw and blocked vulnerable BioNTdrv.sys versions. However, users are advised to update their Paragon Partition Manager software to version 2.0.0 or later to avoid potential exploitation of this critical zero-day vulnerability.
To mitigate the risks associated with this driver, it is recommended that users enable Windows' Vulnerable Driver Blocklist on their systems. This blocklist ensures that older versions of the BioNTdrv.sys driver, which are vulnerable to exploitation, are prevented from being installed.
Enterprises should also take proactive steps to secure their systems by applying the blocklist and ensuring that all drivers, including the Paragon Partition Manager BioNTdrv.sys component, are updated to the latest versions.
Furthermore, users are advised to exercise caution when installing software or updating system drivers, as malicious actors may attempt to use zero-day vulnerabilities like CVE-2025-0289 to compromise systems.
The discovery of this critical vulnerability highlights the importance of keeping system components up-to-date and exercising vigilance in monitoring for potential security threats. It also underscores the need for organizations to develop robust cybersecurity protocols to protect against such attacks.
In light of these findings, users are urged to prioritize their system security by ensuring that all necessary patches and updates are installed promptly.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Exploit-Critical-Paragon-Partition-Manager-BioNTdrvsys-Driver-Zero-Day-Flaw-ehn.shtml
https://securityaffairs.com/174789/cyber-crime/ransomware-gangs-paragon-partition-manager-biontdrv-sys-driver-zero-day-attacks.html
https://nvd.nist.gov/vuln/detail/CVE-2025-0289
https://www.cvedetails.com/cve/CVE-2025-0289/
Published: Sat Mar 1 15:41:04 2025 by llama3.2 3B Q4_K_M
