Paragon Software’s widely used Hard Disk Manager (HDM) product line has been found to contain five severe vulnerabilities in its kernel-level driver, BioNTdrv.sys, enabling attackers to escalate privileges to SYSTEM-level access or trigger denial-of-service (DoS) attacks.
The flaws, now patched, were actively exploited in ransomware campaigns leveraging Microsoft-signed drivers, according to cybersecurity researchers.
The vulnerabilities (assigned CVEs: 2025-0285 to 2025-0289) exist in BioNTdrv.sys versions 10.1.X.Y and older, including 1.0.0.0, 1.1.0.0, 1.3.0.0, 1.4.0.0, and 1.5.1.0.
Microsoft’s Threat Intelligence team confirmed that attackers exploited these flaws via Bring Your Own Vulnerable Driver (BYOVD) tactics, even on systems without Paragon software installed.
Key Risks:
Affected Products and CVEs
CVE ID | Vulnerability Type | Affected Product |
CVE-2025-0285 | Arbitrary Kernel Memory Mapping | Paragon Hard Disk Manager |
CVE-2025-0286 | Arbitrary Kernel Memory Write | Paragon Hard Disk Manager |
CVE-2025-0287 | Null Pointer Dereference | Paragon Hard Disk Manager |
CVE-2025-0288 | Arbitrary Kernel Memory via memmove | Paragon Hard Disk Manager |
CVE-2025-0289 | Insecure Kernel Resource Access | Paragon Hard Disk Manager |
The BioNTdrv.sys driver, designed for low-level disk management, failed to validate user-controlled inputs, enabling attackers to:
Microsoft emphasized that the driver’s Microsoft signature allowed attackers to bypass security checks via BYOVD, even on unpatched systems without Paragon software.
Paragon Software released BioNTdrv.sys version 2.0.0 to address the flaws. Users and enterprises must:
“These vulnerabilities underscore the risks of third-party kernel drivers,” stated Microsoft’s security team. “Proactive patch management and driver blocklisting are critical to disrupt adversarial workflows.”
Paragon Software urged users to upgrade to Hard Disk Manager 18.0 or newer, which includes the patched driver. For systems where updates are delayed, disabling or removing the BioNTdrv.sys driver is advised.
This incident highlights the growing sophistication of BYOVD-based attacks and the urgent need for cross-industry vulnerability coordination.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…