Paragon Software’s widely used Hard Disk Manager (HDM) product line has been found to contain five severe vulnerabilities in its kernel-level driver, BioNTdrv.sys, enabling attackers to escalate privileges to SYSTEM-level access or trigger denial-of-service (DoS) attacks.
The flaws, now patched, were actively exploited in ransomware campaigns leveraging Microsoft-signed drivers, according to cybersecurity researchers.
The vulnerabilities (assigned CVEs: 2025-0285 to 2025-0289) exist in BioNTdrv.sys versions 10.1.X.Y and older, including 1.0.0.0, 1.1.0.0, 1.3.0.0, 1.4.0.0, and 1.5.1.0.
Microsoft’s Threat Intelligence team confirmed that attackers exploited these flaws via Bring Your Own Vulnerable Driver (BYOVD) tactics, even on systems without Paragon software installed.
Key Risks:
Affected Products and CVEs
CVE ID | Vulnerability Type | Affected Product |
CVE-2025-0285 | Arbitrary Kernel Memory Mapping | Paragon Hard Disk Manager |
CVE-2025-0286 | Arbitrary Kernel Memory Write | Paragon Hard Disk Manager |
CVE-2025-0287 | Null Pointer Dereference | Paragon Hard Disk Manager |
CVE-2025-0288 | Arbitrary Kernel Memory via memmove | Paragon Hard Disk Manager |
CVE-2025-0289 | Insecure Kernel Resource Access | Paragon Hard Disk Manager |
The BioNTdrv.sys driver, designed for low-level disk management, failed to validate user-controlled inputs, enabling attackers to:
Microsoft emphasized that the driver’s Microsoft signature allowed attackers to bypass security checks via BYOVD, even on unpatched systems without Paragon software.
Paragon Software released BioNTdrv.sys version 2.0.0 to address the flaws. Users and enterprises must:
“These vulnerabilities underscore the risks of third-party kernel drivers,” stated Microsoft’s security team. “Proactive patch management and driver blocklisting are critical to disrupt adversarial workflows.”
Paragon Software urged users to upgrade to Hard Disk Manager 18.0 or newer, which includes the patched driver. For systems where updates are delayed, disabling or removing the BioNTdrv.sys driver is advised.
This incident highlights the growing sophistication of BYOVD-based attacks and the urgent need for cross-industry vulnerability coordination.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…
As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…
UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…
Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…
Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…
Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…