Microsoft has discovered five security flaws in the Paragon Partition Manager BioNTdrv.sys driver, with one of them actively exploited by ransomware gangs to gain SYSTEM privileges in Windows.
Hackers use a technique called “Bring Your Own Vulnerable Driver” (BYOVD), where they install the flawed driver on a victim’s system to bypass security protections and elevate their access. Once exploited, attackers can execute commands with high-level privileges, making it easier to spread malware or disable security software.
The most concerning flaw, tracked as CVE-2025-0289, has already been used in ransomware attacks. Microsoft has not disclosed which ransomware groups are behind the attacks but has confirmed that cybercriminals are actively exploiting this vulnerability.
Microsoft and Paragon Software have released fixes, and the vulnerable versions of BioNTdrv.sys have been blocked using Microsoft’s ‘Vulnerable Driver Blocklist.’ Users should update to the latest version of Paragon Partition Manager, which includes BioNTdrv.sys version 2.0.0, to stay protected.
Even users who do not have Paragon Partition Manager installed may still be at risk, as attackers can deploy the vulnerable driver independently. To stay safe, Microsoft recommends enabling the ‘Vulnerable Driver Blocklist’ in Windows settings under Device security → Core isolation.
