Paragon Partition Manager BYOVD: CVE-2025-0289 Kernel-Level Exploitation

On March 1, 2025, CERT/CC published advisories for five vulnerabilities in the BioNTdrv.sys kernel driver shipped with Paragon Partition Manager. The vulnerabilities -- CVE-2025-0285 through CVE-2025-0289 -- allowed attackers to escalate privileges to SYSTEM level on Windows machines. More critically, these flaws were being exploited in Bring Your Own Vulnerable Driver (BYOVD) attacks, where attackers deliberately installed the vulnerable driver on target systems to gain kernel-level code execution.

Microsoft responded by adding the vulnerable versions of BioNTdrv.sys to the Windows Driver Blocklist, preventing its loading on systems with the blocklist enabled.

The Vulnerabilities

The five CVEs covered different attack paths within the same kernel driver:

• CVE-2025-0285: Arbitrary kernel memory mapping via crafted IOCTL requests.
• CVE-2025-0286: Arbitrary kernel memory write through insufficient validation of user-supplied data lengths.
• CVE-2025-0287: Null pointer dereference leading to kernel crash (denial of service).
• CVE-2025-0288: Arbitrary kernel memory write through an insecure MasterLrp command handler.
• CVE-2025-0289: Insecure kernel resource access caused by failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware.

All five vulnerabilities were accessible through IOCTL (Input/Output Control) interfaces exposed by the driver. A local attacker -- or malware running with standard user privileges -- could send crafted IOCTL requests to the driver to trigger these vulnerabilities.

CVE-2025-0289, the insecure kernel resource access flaw, was particularly dangerous because it could be exploited to gain arbitrary code execution in the context of the Windows kernel, effectively giving the attacker complete control over the system.

BYOVD: Why Signed Drivers Matter

Bring Your Own Vulnerable Driver attacks have become one of the most effective privilege escalation techniques in the modern threat landscape. The concept is straightforward:

1. The attacker identifies a legitimate, Microsoft-signed kernel driver with exploitable vulnerabilities.
2. The attacker drops this driver onto the target system. Because it carries a valid signature, Windows allows it to load.
3. The attacker exploits the vulnerability in the loaded driver to gain kernel-level code execution.
4. With kernel-level access, the attacker can disable security software, install rootkits, or perform any other action on the system.

The key insight is that the target system does not need to have Paragon Partition Manager installed. The attacker brings their own copy of the vulnerable driver. This is what makes BYOVD attacks so pernicious: the vulnerable software does not need to exist in your environment for you to be affected.

Notable BYOVD campaigns have included:

• Lazarus Group using a vulnerable Dell driver (dbutil_2_3.sys) in attacks against aerospace and defense targets.
• BlackByte ransomware using vulnerable MSI Afterburner and other gaming drivers to disable EDR products.
• Cuba ransomware exploiting a vulnerable Avast Anti-Rootkit driver to kill security processes.
• Scattered Spider using Intel drivers in attacks against telecommunications companies.

The Paragon driver joins a growing list of legitimate drivers weaponized in these campaigns.

Why This Keeps Happening

The root cause is a tension in Windows' security model. Kernel drivers require Microsoft's signature to load on 64-bit Windows systems with Secure Boot enabled. This is intended to prevent malicious drivers from loading. But the signing process validates the driver at a point in time -- it does not continuously re-evaluate whether a signed driver contains vulnerabilities.

When a vulnerability is discovered in a signed driver, the driver remains loadable until Microsoft specifically blocklists it. The Windows Vulnerable Driver Blocklist is Microsoft's mechanism for revoking trust in specific driver versions, but it has several limitations:

• The blocklist is not enabled by default on all Windows configurations. It is automatically enforced on Windows 11 22H2+ and systems with HVCI (Hypervisor-Protected Code Integrity) enabled, but many enterprise systems do not meet these criteria.
• The blocklist is updated infrequently. There is a significant lag between vulnerability disclosure and blocklist updates.
• The list is reactive. Drivers must be individually identified and added. There is no proactive mechanism to detect vulnerable drivers that have not been reported.

Microsoft has been improving the blocklist process, but the fundamental problem remains: the Windows driver model requires trust in third-party kernel code, and that trust can be abused.

Detection and Prevention

For organizations defending against BYOVD attacks:

Enable HVCI (Hypervisor-Protected Code Integrity). This is the most effective protection, as it prevents unsigned and blocklisted drivers from loading. It requires compatible hardware and may impact system performance.

Keep the Windows Vulnerable Driver Blocklist updated. Ensure that the latest blocklist is deployed to all managed systems. Microsoft distributes updates through Windows Update, but manual deployment may be necessary for air-gapped or slowly-updating environments.

Monitor for driver loading events. Windows Event Log captures driver load events (Event ID 7045 for services). Monitoring for unexpected driver installations can catch BYOVD attempts.

Application whitelisting. Tools like Windows Defender Application Control (WDAC) can restrict which drivers are allowed to load, providing a stronger control than the blocklist alone.

EDR with kernel-level visibility. Modern EDR solutions can detect suspicious IOCTL patterns and other indicators of driver exploitation. Ensure your EDR is configured to monitor driver interactions.

The Paragon Situation Specifically

For organizations that actually have Paragon Partition Manager installed (as opposed to those at risk from BYOVD), the remediation was straightforward:

1. Update to Paragon Partition Manager version 17.45.0 or later, which includes a patched version of BioNTdrv.sys.
2. If the software is not needed, uninstall it entirely.
3. Verify that the vulnerable driver version is no longer present on the system.

Paragon released the patched driver in coordination with the CERT/CC disclosure.

How Safeguard.sh Helps

Safeguard.sh provides comprehensive software inventory tracking that includes device drivers and system-level components. When vulnerabilities like the Paragon driver flaws are disclosed, Safeguard can identify which systems in your environment have the vulnerable driver installed -- whether as part of Paragon Partition Manager or as a standalone component.

For BYOVD defense specifically, Safeguard's SBOM analysis helps you understand your full software inventory at a granular level, including kernel drivers that might not be visible to traditional vulnerability scanners. This visibility is essential for assessing your BYOVD attack surface and prioritizing the deployment of protections like HVCI and the driver blocklist.

Safeguard's policy gates can enforce requirements like HVCI enablement and blocklist currency, ensuring that your defenses against BYOVD attacks are consistently applied across your fleet.