Cybercriminals are exploiting a vulnerability in a Microsoft-signed driver developed by Paragon Software, known as BioNTdrv.sys, to carry out ransomware attacks. This driver, part of Paragon Partition Manager, is typically used to manage hard drive space, but hackers have found a way to misuse it for malicious purposes.
How the Attack Works
The vulnerability, identified as CVE-2025-0289, allows attackers to use a technique called “bring your own vulnerable driver” (BYOVD). This means they introduce the legitimate but flawed driver into a system and exploit it to gain high-level access. Once they obtain SYSTEM-level privileges, they can execute ransomware, steal data, or disable security software without being detected.
The alarming part is that the vulnerability can be exploited even on devices that do not have Paragon Partition Manager installed, as long as the driver exists on the system.
Other Vulnerabilities
Researchers also found four additional flaws in the driver:
1. CVE-2025-0288: Allows access to kernel memory, helping attackers gain control.
2. CVE-2025-0287: Can crash the system using a null pointer error.
3. CVE-2025-0286: Enables attackers to execut
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.