Microsoft security researchers have uncovered a series of serious vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver, with one actively being exploited by ransomware gangs to compromise systems.
The most severe vulnerability, tracked as CVE-2025-0289, allows attackers to gain SYSTEM-level access - the highest privilege level on Windows systems. Ransomware groups are actively exploiting this flaw in real-world attacks.
The affected software, Paragon Partition Manager, is used to manage hard drive partitions through its BioNTdrv.sys driver. This kernel-level driver provides elevated access privileges for data management tasks.
Microsoft discovered a total of five security flaws affecting versions prior to 2.0.0 of the driver. The vulnerabilities range from arbitrary kernel memory manipulation to null pointer issues that could allow attackers to crash systems or gain complete control.
Even if Paragon Partition Manager is not installed, attackers can still exploit these flaws by manually installing vulnerable versions of the driver - a technique known as BYOVD (Bring Your Own Vulnerable Driver).
Both Microsoft and Paragon Software have taken action to address the threats. Paragon has released version 2.0.0 of the BioNTdrv.sys driver with security fixes, while Microsoft has blocked known vulnerable driver versions through Windows' protective measures.
Security experts recommend that users:
- Update Paragon Partition Manager to the latest version
- Enable Windows' Vulnerable Driver Blocklist
- For enterprises, deploy the blocklist across their networks to prevent exploitation of older vulnerable driver versions
The Windows 11 operating system includes these protections by default, but earlier Windows versions may need manual configuration of security settings.
This incident highlights how sophisticated cyber criminals continue to leverage vulnerable drivers to bypass system security and deploy ransomware attacks.