Ransomware operators exploit a vulnerable Paragon driver in BYOVD attacks to elevate privileges to System.
March 3, 2025 By Ionut Arghire
Ransomware operators have been observed deploying a vulnerable Paragon Hard Disk Manager driver in attacks and exploiting it to elevate their privileges to System.
The driver, Biontdrv.sys, which is part of Hard Disk Manager and other products that rely on it, such as Paragon Partition Manager and Backup and Recovery, contains five vulnerabilities that allow attackers to elevate privileges or cause a denial-of-service (DoS) condition.
“Additionally, as the attack involves a Microsoft-signed driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed,” a CERT/CC advisory reads.
The security defects include an arbitrary kernel memory bug (CVE-2025-0288), a null pointer dereference issue (CVE-2025-0287), an arbitrary kernel memory write flaw (CVE-2025-0286), an arbitrary kernel memory mapping bug (CVE-2025-0285), and an insecure kernel resource access vulnerability (CVE-2025-0289).