Executive Summary
Microsoft and CERT/CC have disclosed five vulnerabilities in Paragon Software’s BioNTdrv.sys kernel-mode driver used across the Hard Disk Manager / Partition Manager product line, enabling local attackers to escalate privileges and (in some cases) execute kernel-level code. According to CERT/CC’s Vulnerability Note, Microsoft observed threat actors using the Bring Your Own Vulnerable Driver (BYOVD) technique to exploit CVE-2025-0289 in ransomware operations to obtain SYSTEM privileges and enable follow-on malicious activity. (kb.cert.org)
Paragon has released a patched driver (BioNTdrv.sys v2.0.0) and Microsoft has blocked vulnerable driver versions via its Vulnerable Driver Blocklist mechanisms. (kb.cert.org)
This activity is high-risk for defenders because BYOVD abuse can occur even when Paragon products are not installed, so long as an attacker can introduce and load the signed vulnerable driver on a target host. (kb.cert.org)
Contextual Background
2.1 Nature of the threat — vulnerabilities in BioNTdrv.sys
CERT/CC’s Vulnerability Note VU#726882 documents five issues in BioNTdrv.sys affecting multiple Paragon products. These include arbitrary kernel memory mapping/write primitives, a NULL pointer dereference, insecure kernel resource access, and an arbitrary memory move issue. (kb.cert.org)
Vulnerability set (driver component: BioNTdrv.sys):
- CVE-2025-0285 — arbitrary kernel memory mapping (privilege escalation)
- CVE-2025-0286 — arbitrary kernel memory write (potential kernel code execution)
- CVE-2025-0287 — NULL pointer dereference (kernel arbitrary code execution / privilege escalation path depending on exploitation)
- CVE-2025-0288 — arbitrary memory move via unsafe
memmovehandling (write-what-where style primitive enabling privilege escalation) - CVE-2025-0289 — insecure kernel resource access (observed exploited in ransomware BYOVD operations)
Important correction (re: “which CVE is exploited”): CERT/CC explicitly states Microsoft observed threat actors exploiting CVE-2025-0289 for SYSTEM privilege escalation in BYOVD ransomware attacks. (kb.cert.org)
2.2 Threat-actor attribution (if any)
Public reporting attributes exploitation to “ransomware operators/gangs” but does not (in the sources reviewed) name a specific tracked threat actor with high confidence. As such, attribution remains Possible (Admiralty/NATO-style) to a ransomware affiliate ecosystem rather than a single group. (kb.cert.org)
Confidence: Possible — based on defensive reporting that describes ransomware use without actor-level naming. (kb.cert.org)
2.3 Sector and geographic targeting
BYOVD-enabled privilege escalation is generally opportunistic: once an attacker has a foothold (often via stolen credentials or malware), kernel-level escalation helps disable security tooling and deploy ransomware broadly. CERT/CC notes the driver is Microsoft-signed and can be abused even if Paragon software is not present, increasing the likelihood of cross-sector targeting. (kb.cert.org)
Technical Analysis
3.1 Detailed description of vulnerabilities and TTPs (with MITRE mapping)
Attack chain (high-level, as described by CERT/CC and common BYOVD tradecraft):
- Initial local execution / access on a Windows endpoint (precondition: attacker can run code and typically has admin-equivalent capability to load a driver/service). (kb.cert.org)
- Introduce and load a signed vulnerable driver (BioNTdrv.sys) to the host as part of BYOVD. (kb.cert.org)
- Exploit driver IOCTL handling flaws to elevate to SYSTEM and/or gain kernel primitives. (kb.cert.org)
- Use elevated control to execute further malicious code (e.g., ransomware deployment and defence evasion). (kb.cert.org)
MITRE ATT&CK technique mapping (linked):
- Privilege escalation via exploited weakness: T1068 (Exploitation for Privilege Escalation) (kb.cert.org)
- Driver/service installation (common for loading a kernel driver): T1543.003 (Create or Modify System Process: Windows Service) (Microsoft Tech Community)
- Defence evasion via kernel-level manipulation / disruption of security tools (often the objective of BYOVD): T1562.001 (Impair Defences: Disable or Modify Tools) — described as a driver-abuse motivation in Microsoft’s BYOVD guidance. (Microsoft Tech Community)
Note: The sources confirm BYOVD + privilege escalation and follow-on malicious code execution, but they do not publicly detail each post-escalation action on victims. Where behaviours are described as “typical”, they are aligned to Microsoft’s general BYOVD defensive guidance rather than a victim-specific forensic narrative. (Microsoft Tech Community)
3.2 Exploitation status — in the wild and PoC availability
- In-the-wild exploitation (confirmed by defensive reporting): CERT/CC states Microsoft observed threat actors exploiting CVE-2025-0289 in BYOVD ransomware attacks to escalate to SYSTEM and execute additional malicious code. (kb.cert.org)
- Public exploitation detail/coverage: Multiple security news and analyst write-ups corroborate ransomware/BYOVD use of the Paragon driver vulnerability set (without necessarily providing full exploit code). (The Hacker News)
No responsibly disclosed, authoritative source in the materials above provides a canonical public PoC link for CVE-2025-0289. If your environment relies on exploit provenance tracking, treat any third-party PoC claims with caution unless backed by a reputable research lab or vendor publication.
Impact Assessment
4.1 Severity and scope
NVD entries (with CISA-ADP scoring where NVD scoring is pending) indicate HIGH severity for most of the set:
- CVE-2025-0286: 8.4 (High) — NVD (NVD)
- CVE-2025-0285: 7.8 (High) — NVD (NVD)
- CVE-2025-0288: 7.8 (High) — NVD (NVD)
- CVE-2025-0289: 7.8 (High) — NVD (NVD)
- CVE-2025-0287: 5.1 (Medium) — NVD (NVD)
Operational risk: Successful exploitation provides SYSTEM/kernel-adjacent control that can enable ransomware deployment, tampering with endpoint security controls, and broader lateral movement if combined with credential theft. CERT/CC explicitly highlights ransomware use and the “even if not installed” BYOVD risk profile. (kb.cert.org)
4.2 Victim profile
Victims are best characterised as Windows environments where attackers can load a signed vulnerable driver, including:
- Endpoints and servers where security posture allows driver loading (or where attackers have already obtained sufficient privilege).
- Organisations with inconsistent driver blocklist enforcement or without ASR/WDAC/App Control controls enabled. (Microsoft Tech Community)
Indicators of Compromise (IOCs)
5.1 IOC table
At time of writing, the primary authoritative sources referenced (CERT/CC + Paragon advisory + NVD entries) do not publish victim-specific indicators (hashes/IPs/domains) for the ransomware campaigns exploiting CVE-2025-0289. (kb.cert.org)
Use the following investigation pivots as “IOCs-by-behaviour” (not unique indicators):
5.2 Detection guidance (queries and rules)
Microsoft Defender for Endpoint (MDE) hunting ideas (adapt as needed). Microsoft provides example hunting queries for discovering suspicious driver creation and correlating certificate/signing metadata. (Microsoft Tech Community)
// MDE Advanced Hunting - new driver files created
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith ".sys"
// MDE Advanced Hunting - kernel services registered
DeviceEvents
| where ActionType contains "ServiceInstalled"
| extend ParsedFields=parse_json(AdditionalFields)
| extend ServiceType = tostring(ParsedFields.ServiceType)
| where ServiceType == "1" // kernel-mode driver
Controls-based detection / prevention:
- Enable or enforce the Microsoft Vulnerable Driver Blocklist (Windows Security / HVCI / WDAC/App Control), which Microsoft notes is enabled by default on Windows 11 22H2+ and is designed to block known vulnerable drivers. (Microsoft Support)
- Enable the Defender ASR rule “Block abuse of exploited vulnerable signed drivers” (where available) to prevent driver drop/write patterns associated with vulnerable signed drivers. (Microsoft Learn)
Incident Response Guidance
6.1 Containment, eradication, and recovery
- Containment
- Isolate suspected endpoints where driver/service installation events or suspicious
.sysdrops are observed (prioritise high-value servers and admin workstations). (Microsoft Tech Community) - Temporarily restrict driver loading where operationally feasible (e.g., tighten WDAC/App Control policies; review whether HVCI/Memory Integrity is enabled). (Microsoft Tech Community)
- Isolate suspected endpoints where driver/service installation events or suspicious
- Eradication
- Remove unauthorised instances of BioNTdrv.sys and associated kernel services that were not deployed via standard IT channels. (kb.cert.org)
- Update Paragon components to patched versions / driver v2.0.0 (see Mitigations). (paragon-software.zendesk.com)
- Recovery
- Rebuild or reimage hosts where kernel compromise is suspected, as kernel-level tampering can undermine trust in system integrity. (General best practice; validate with your internal IR policy.)
- Re-enable and validate endpoint security controls after remediation (EDR health, tamper protection, policy compliance). (Microsoft Tech Community)
6.2 Forensic artefacts to collect and preserve
- Driver inventory (
driverquery, installed driver metadata, file hashes/signatures). (Microsoft Tech Community) - Windows Event Logs:
- Service creation (e.g., Event ID 7045) and any driver-load telemetry available. (Microsoft Tech Community)
- EDR telemetry around
.syscreation, service install, and privilege escalation events (especially on endpoints preceding ransomware execution). (Microsoft Tech Community)
6.3 Lessons learned and preventive recommendations
- Treat signed driver trust as a constrained resource: enforce driver allow/block controls (WDAC/App Control + blocklist), and monitor for anomalous driver/service activity. (Microsoft Tech Community)
Threat Intelligence Contextualisation
7.1 Similar incident patterns (BYOVD as a ransomware enabler)
Microsoft notes BYOVD has been increasingly used by ransomware groups since ~2020, typically to reach kernel-level access and disrupt security tooling. (Microsoft Tech Community)
7.2 Full MITRE ATT&CK mapping (observed + defensible from sources)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | Exploitation of BioNTdrv.sys vulnerability (notably CVE-2025-0289) to elevate to SYSTEM in ransomware-linked activity (kb.cert.org) |
| Persistence / Privilege Escalation | T1543.003 | Windows Service | Likely driver/service registration steps needed to load the vulnerable driver (telemetry focus per Microsoft guidance) (Microsoft Tech Community) |
| Defence Evasion | T1562.001 | Disable or Modify Tools | BYOVD described by Microsoft as a method to undermine or disrupt security controls following kernel access (Microsoft Tech Community) |
Mitigation Recommendations
8.1 Actionable hardening steps
- Patch/upgrade Paragon driver to BioNTdrv.sys v2.0.0 (and corresponding product versions) per Paragon guidance. (paragon-software.zendesk.com)
- Enforce Microsoft Vulnerable Driver Blocklist (particularly on Windows 10/Server estates where it may not be default-on). (Microsoft Support)
- Enable Memory Integrity / HVCI where feasible to strengthen kernel protections, as recommended within Microsoft’s vulnerable driver defensive guidance. (Microsoft Tech Community)
- Deploy Defender ASR controls including “Block abuse of exploited vulnerable signed drivers” to reduce exposure to signed-driver abuse patterns. (Microsoft Learn)
8.2 Patch management advice (prioritised)
Prioritise based on exploit observation and severity:
- CVE-2025-0289 (observed exploited; High 7.8) — NVD (kb.cert.org)
- CVE-2025-0286 (High 8.4) — NVD (NVD)
- CVE-2025-0285 / CVE-2025-0288 (High 7.8) — NVD: 0285, NVD: 0288 (NVD)
- CVE-2025-0287 (Medium 5.1) — NVD (NVD)
Interim workaround (where patching is delayed):
- Enforce driver block rules (WDAC/App Control + blocklist) and monitor/alert on new driver installations and kernel services. (Microsoft Learn)
Historical Context & Related Vulnerabilities
9.1 Previously exploited vulnerabilities in the same product family
This report focuses on the BioNTdrv.sys set disclosed in VU#726882. The authoritative sources reviewed here do not enumerate earlier exploited CVEs for this specific driver family beyond the five listed; avoid assuming additional history without corroboration. (kb.cert.org)
9.2 Related coverage
- Security reporting summarising ransomware/BYOVD exploitation of the Paragon driver set: SecurityWeek coverage, The Hacker News coverage, The Register coverage (SecurityWeek)
Future Outlook
10.1 Emerging trends and likely evolution
Microsoft’s security guidance indicates BYOVD has become a durable, repeatable tradecraft pattern—particularly for ransomware operators—because it leverages legitimate signing trust to reach kernel access. Expect continued use of vulnerable signed drivers (including “living off the land” driver ecosystems) to bypass or degrade endpoint protections. (Microsoft Tech Community)
10.2 Predicted shifts in targeting/tooling
As more enterprises harden driver loading (HVCI, WDAC, ASR), attackers are likely to:
- Shift to alternative signed drivers not yet blocked, or
- Combine BYOVD with faster privilege escalation and more aggressive EDR disruption at the earliest post-compromise stage. (Microsoft Tech Community)
Further Reading
Vendor / Coordinated advisories
- CERT/CC Vulnerability Note VU#726882 (BioNTdrv.sys) (kb.cert.org)
- Paragon Security Patch Advisory (BioNTdrv.sys v2.0.0) (paragon-software.zendesk.com)
Microsoft defensive guidance
- Microsoft: Strategies to monitor and prevent vulnerable driver attacks (Microsoft Tech Community)
- Microsoft Learn: Microsoft recommended driver block rules (Microsoft Learn)
- Microsoft Support: Vulnerable driver blocklist behaviour and defaults (Microsoft Support)
- Microsoft Learn: ASR rules reference (vulnerable signed drivers) (Microsoft Learn)
NVD entries
- NVD: CVE-2025-0285 (NVD)
- NVD: CVE-2025-0286 (NVD)
- NVD: CVE-2025-0287 (NVD)
- NVD: CVE-2025-0288 (NVD)
- NVD: CVE-2025-0289 (NVD)