Microsoft signed a dodgy driver and now ransomware scum are exploiting it

Ransomware crooks are exploiting a third-party Windows kernel-level driver used and provided by disk management tool Paragon Partition Manager.

Paragon Partition Manager is a software tool that allows users to create and manage partitions on a storage drive. It sports a Microsoft-approved, digitally signed kernel-level driver, BioNTdrv.sys, that the manager application uses for privileged low-level access to attached hard drives.

It turns out the .sys has security vulnerabilities that can be exploited by malware and rogue users already on the machine to gain SYSTEM-level control over the whole box. Miscreants can also include copies of the driver with their ransomware or manually deploy the .sys on compromised Windows computers to fully hijack the system; because the driver is signed and trusted by the operating system, it's allowed to run no problem.

"As the attack involves a Microsoft-signed driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed," as the CERT Coordination Center (CERT/CC) in the US put it in a warning late last week.

According to CERT/CC, one of the five now-fixed security flaws in Paragon Partition Manager's BioNTdrv.sys driver has been abused in the wild by ransomware miscreants. The five vulnerabilities, none of which have been assigned CVSS ratings, are:

• CVE-2025-0288: An arbitrary kernel memory vulnerability in Paragon Partition Manager version 7.9.1 that can be abused to write to arbitrary kernel memory and achieve privilege escalation.
• CVE-2025-0287: A null pointer dereference vulnerability in version 7.9.1 that allows an attacker to execute arbitrary kernel code and achieve privilege escalation.
• CVE-2025-0286: An arbitrary kernel memory write vulnerability in version 7.9.1 that can lead to arbitrary code execution.
• CVE-2025-0285: An arbitrary kernel memory mapping vulnerability in version 7.9.1 that can be exploited to escalate privileges.
• CVE-2025-0289: An insecure kernel resource access vulnerability in Paragon Partition Manager version 17 that basically allows for privileged code execution via an unvalidated attacker-controlled pointer.

Microsoft found and reported all five bugs to Paragon Software, we're told, and according to the CERT/CC warning, CVE-2025-0289 is the flaw specifically used in the observed BYOVD-based ransomware attacks. What will happen is that someone is able to get the .sys file and some other malicious code running on a victim's Windows computer, and then use the driver to gain top privileges to complete the takeover.

• How fiends abuse an out-of-date Microsoft Windows driver to infect victims
• Malicious Microsoft-signed Windows drivers wielded in cyberattacks
• Ransomware criminals love CISA's KEV list – and that's a bug, not a feature
• Microsoft names alleged credential-snatching 'Azure Abuse Enterprise' operators

Paragon Software has released a new driver, BioNTdrv.sys version 2.0.0, which fixes these flaws. Vulnerable versions of the driver have been added to Microsoft's Vulnerable Driver Blocklist so that the OS no longer trusts the buggy driver if it shows up in a BYOVD-based infection. Windows 11 devices enable this blocklist by default.

Neither Paragon nor Microsoft immediately responded to The Register's inquiries, including those about the scope of the observed exploitation. We will update this story if and when we receive a response. ®