Cyber Security News

Paragon Hard Disk Manager Flaw Enables Privilege Escalation and DoS Attacks

Paragon Software’s widely used Hard Disk Manager (HDM) product line has been found to contain five severe vulnerabilities in its kernel-level driver, BioNTdrv.sys, enabling attackers to escalate privileges to SYSTEM-level access or trigger denial-of-service (DoS) attacks.

The flaws, now patched, were actively exploited in ransomware campaigns leveraging Microsoft-signed drivers, according to cybersecurity researchers.

Overview of the Vulnerabilities

The vulnerabilities (assigned CVEs: 2025-0285 to 2025-0289) exist in BioNTdrv.sys versions 10.1.X.Y and older, including 1.0.0.0, 1.1.0.0, 1.3.0.0, 1.4.0.0, and 1.5.1.0.

Microsoft’s Threat Intelligence team confirmed that attackers exploited these flaws via Bring Your Own Vulnerable Driver (BYOVD) tactics, even on systems without Paragon software installed.

Key Risks:

  • Privilege Escalation: Attackers gain SYSTEM-level control to execute malicious code.
  • Denial-of-Service (DoS): Trigger system crashes (e.g., Blue Screen of Death).
  • Ransomware Attacks: Microsoft observed active exploitation in BYOVD-based ransomware campaigns.

Affected Products and CVEs

CVE IDVulnerability TypeAffected Product
CVE-2025-0285Arbitrary Kernel Memory MappingParagon Hard Disk Manager
CVE-2025-0286Arbitrary Kernel Memory WriteParagon Hard Disk Manager
CVE-2025-0287Null Pointer DereferenceParagon Hard Disk Manager
CVE-2025-0288Arbitrary Kernel Memory via memmoveParagon Hard Disk Manager
CVE-2025-0289Insecure Kernel Resource AccessParagon Hard Disk Manager

Technical Breakdown

The BioNTdrv.sys driver, designed for low-level disk management, failed to validate user-controlled inputs, enabling attackers to:

  1. Map or write arbitrary kernel memory (CVE-2025-0285, 0286, 0288).
  2. Exploit null pointer dereferences (CVE-2025-0287).
  3. Abuse unvalidated system pointers (CVE-2025-0289).

Microsoft emphasized that the driver’s Microsoft signature allowed attackers to bypass security checks via BYOVD, even on unpatched systems without Paragon software.

  • Local Attack Vector: Attackers with physical or remote access could escalate privileges to install malware, exfiltrate data, or cripple systems.
  • Ransomware Link: CVE-2025-0289 was specifically weaponized to gain SYSTEM access before deploying ransomware payloads.

Paragon Software released BioNTdrv.sys version 2.0.0 to address the flaws. Users and enterprises must:

  1. Update Immediately: Apply patches via Paragon’s advisory.
  2. Enable Microsoft’s Blocklist: Ensure Windows Security’s Vulnerable Driver Blocklist is active (default on Windows 11).
  3. Audit Enterprise Systems: IT teams should verify blocklist enforcement to prevent BYOVD attacks.

“These vulnerabilities underscore the risks of third-party kernel drivers,” stated Microsoft’s security team. “Proactive patch management and driver blocklisting are critical to disrupt adversarial workflows.”

Paragon Software urged users to upgrade to Hard Disk Manager 18.0 or newer, which includes the patched driver. For systems where updates are delayed, disabling or removing the BioNTdrv.sys driver is advised.

This incident highlights the growing sophistication of BYOVD-based attacks and the urgent need for cross-industry vulnerability coordination.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

11 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

11 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

11 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

11 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

12 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

13 hours ago