Threatening actors operate security vulnerability in the Biontdrv.Sys driver in Paragon Partition Manager Manager in ransomware attacks to escalate privileges and execute an arbitrary code.
The zero day deficiency (CVE-2025-0289) is part of a set of five vulnerabilities that have been detected by Microsoft, Certination Center (Cert/CC) reports.
“This includes an arbitrary reflection of the kernel memory and writing vulnerabilities, a derefert Null, dangerous access to kernel resources and arbitrary memory vulnerability,” Cert/CC – noted.
In a hypothetical attack scenario, an opponent with local access to the Windows machine can use these deficiencies to remake the privileges or cause a pre -service refusal (DOS), taking advantage of “biontdrv.sys” signed by Microsoft.
It can also pave the way because called A, bring your own vulnerable driver (Byovd) Attack on a system where the driver is not installed, thus allowing the subject to get high privileges and execute the malicious code.
The list of vulnerabilities affecting Biontdrv.sys 1.3.0 and 1.5.1 is next –
- Cve-2025-0285 – The arbitrary vulnerability of the reflection of the kernel in version 7.9.1, caused by the inability to check the data length provided by the users. Attackers can use this drawback to escalate privileges.
- Cve-2025-0286 – arbitrary vulnerability of the kernel memory in version 7.9.1 due to incorrect data verification provided by users. This disadvantage can allow the attackers to perform an arbitrary code by the victim’s car.
- Cve-2025-0287 – vulnerability of a zero index in version 7.9.1, caused by the lack of a true Masterlrp structure in the buffer. This allows the attacker to perform an arbitrary kernel code, which allows the escalation of the privileges.
- Cve-2025-0288 – arbitrary vulnerability of the kernel memory in version 7.9.1, caused by the Memmove function, which does not allow the users controlled. This allows the attacker to write an arbitrary memory of the kernel and to reach the escalation of privileges.
- Cve-2025-0289 – Dangerous vulnerability of access to the kernel resources in version 17, caused by the inability to check the Mapedsystemva pointer before transferring it to Halreturntofirmware. This allows the attackers to jeopardize the affected service.
The vulnerabilities have since been address According to Paragon software with version 2.0.0 drivers, with the susceptible version of the driver is added to Microsoft driver’s blogist.
Development comes a few days after checking disclosed Details of a large -scale malicious company that used another vulnerable Windows driver related to the Adlice Product (“Truesight.sys”) to bypass the detection and deployment of malicious GH0St software.
