Paragon Hard Disk Manager Flaw Enables Privilege Escalation and DoS Attacks

Paragon Software’s widely used Hard Disk Manager (HDM) product line has been found to contain five severe vulnerabilities in its kernel-level driver, BioNTdrv.sys, enabling attackers to escalate privileges to SYSTEM-level access or trigger denial-of-service (DoS) attacks.

The flaws, now patched, were actively exploited in ransomware campaigns leveraging Microsoft-signed drivers, according to cybersecurity researchers.

Overview of the Vulnerabilities

The vulnerabilities (assigned CVEs: 2025-0285 to 2025-0289) exist in BioNTdrv.sys versions 10.1.X.Y and older, including 1.0.0.0, 1.1.0.0, 1.3.0.0, 1.4.0.0, and 1.5.1.0.

Microsoft’s Threat Intelligence team confirmed that attackers exploited these flaws via Bring Your Own Vulnerable Driver (BYOVD) tactics, even on systems without Paragon software installed.

Key Risks:

• Privilege Escalation: Attackers gain SYSTEM-level control to execute malicious code.
• Denial-of-Service (DoS): Trigger system crashes (e.g., Blue Screen of Death).
• Ransomware Attacks: Microsoft observed active exploitation in BYOVD-based ransomware campaigns.

Affected Products and CVEs

CVE ID	Vulnerability Type	Affected Product
CVE-2025-0285	Arbitrary Kernel Memory Mapping	Paragon Hard Disk Manager
CVE-2025-0286	Arbitrary Kernel Memory Write	Paragon Hard Disk Manager
CVE-2025-0287	Null Pointer Dereference	Paragon Hard Disk Manager
CVE-2025-0288	Arbitrary Kernel Memory via memmove	Paragon Hard Disk Manager
CVE-2025-0289	Insecure Kernel Resource Access	Paragon Hard Disk Manager

Technical Breakdown

The BioNTdrv.sys driver, designed for low-level disk management, failed to validate user-controlled inputs, enabling attackers to:

1. Map or write arbitrary kernel memory (CVE-2025-0285, 0286, 0288).
2. Exploit null pointer dereferences (CVE-2025-0287).
3. Abuse unvalidated system pointers (CVE-2025-0289).

Microsoft emphasized that the driver’s Microsoft signature allowed attackers to bypass security checks via BYOVD, even on unpatched systems without Paragon software.

• Local Attack Vector: Attackers with physical or remote access could escalate privileges to install malware, exfiltrate data, or cripple systems.
• Ransomware Link: CVE-2025-0289 was specifically weaponized to gain SYSTEM access before deploying ransomware payloads.

Paragon Software released BioNTdrv.sys version 2.0.0 to address the flaws. Users and enterprises must:

1. Update Immediately: Apply patches via Paragon’s advisory.
2. Enable Microsoft’s Blocklist: Ensure Windows Security’s Vulnerable Driver Blocklist is active (default on Windows 11).
3. Audit Enterprise Systems: IT teams should verify blocklist enforcement to prevent BYOVD attacks.

“These vulnerabilities underscore the risks of third-party kernel drivers,” stated Microsoft’s security team. “Proactive patch management and driver blocklisting are critical to disrupt adversarial workflows.”

Paragon Software urged users to upgrade to Hard Disk Manager 18.0 or newer, which includes the patched driver. For systems where updates are delayed, disabling or removing the BioNTdrv.sys driver is advised.

This incident highlights the growing sophistication of BYOVD-based attacks and the urgent need for cross-industry vulnerability coordination.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!