Threat actors are exploiting security vulnerabilities in the paragon partition manager’s biontdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code.
Zero Day Flaw (CVE-2025-0289) is part of a set of five vulnerabilities discovered by Microsoft, according to the CERT Coordination Center (CERT/CC).
“These include arbitrary kernel memory mapping and write vulnerabilities, repeated null pointers, unstable kernel resource access, and arbitrary memory movement vulnerabilities,” CERT/CC said.
In a hypothetical attack scenario, enemies with local access to Windows machines can either exploit these drawbacks to escalate privileges or create a denial of service (DOS) state by exploiting the fact that “Biontdrv.Sys” is signed by Microsoft.
This can also open what is called bringing your own Vulnerable Driver (BYOVD) attack on systems that do not have drivers installed, allowing threat actors to gain high privileges and execute malicious code.
The list of vulnerabilities affecting biontdrv.sys versions 1.3.0 and 1.5.1 is as follows:
CVE-2025-0285 – Any kernel memory mapping that maps vulnerabilities in version 7.9.1 due to the failure to verify the length of the data in user supply. An attacker can exploit this flaw to escalate privileges. CVE-2025-0286 – Inappropriate verification of user supply data length causes any kernel memory to write vulnerabilities in version 7.9.1. This flaw allows an attacker to execute arbitrary code on the victim’s machine. CVE-2025-0287 – Vulnerability in version 7.9.1 due to the absence of a valid MasterLRP structure in the input buffer. This allows the attacker to execute arbitrary kernel code and allow privilege escalation. CVE-2025-0288 – Any kernel memory vulnerability in version 7.9.1 caused by MemMove function that fails to sanitize user-controlled input. This allows an attacker to create arbitrary kernel memory and achieve privilege escalation. CVE-2025-0289 – Unstable kernel resource access vulnerability in version 17 due to failing to pass to Halreturntofirmware after mapping Systemva pointer validation. This allows the attacker to compromise on the affected services.
The vulnerability has since been addressed by Paragon software with driver version 2.0.0, and the driver susceptibility version has been added to Microsoft’s driver block list.
The development comes days after Checkpoint unveiled details of a massive malware campaign that bypasses and deploys GH0st rat malware, leveraging another vulnerable Windows driver associated with another vulnerable Windows driver (“TrueSight.Sys”) associated with Adlice’s suite of products.
Source link
