- I replaced my iPhone 16 Pro with the 16e for a weekend - here's everything I learned
- Samsung teased me with its Galaxy S25 Edge at MWC - and I was ready to give up my Ultra
- I finally found an Android tablet with a large screen that lasts - and you can get a free pair of Galaxy Buds 3 with purchase
- Cisco at NAB Show 2025
- I finally found a high-quality multitool for under $30
BYOVD Attacks Exploit Zero-Day in Paragon Partition Manager
Ransomware actors have been observed exploiting a zero-day Bring Your Own Vulnerable Driver (BYOVD) flaw in Paragon Partition Manager.
The CERT Coordination Center (CERT/CC) issued a security update on Friday revealing the news.
It claimed Microsoft had spotted BYOVD attacks exploiting CVE-2025-0289, an insecure kernel resource access vulnerability in version 17 of Paragon Partition Manager’s BioNTdrv.sys driver.
The exploit enabled them to achieve privilege escalation to system level, in order to execute further malicious code, the note revealed.
The zero-day is caused by “failure to validate the MappedSystemVa pointer before passing it to HalReturnToFirmware,” according to CERT/CC.
Read more on BYOVD: Ransomware Surges Annually Despite Law Enforcement Takedowns
It is one of five vulnerabilities discovered by Microsoft.
“An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim’s machine,” the advisory noted.
“Additionally, as the attack involves a Microsoft-signed driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed.”
In a BYOVD attack, adversaries implant a legitimate but vulnerable driver on a victim’s system and then exploit it, gaining kernel-level access which then enables them to bypass or disable security measures.
The other vulnerabilities in Paragon Partition Manager are:
- CVE-2025-0288: An arbitrary kernel memory vulnerability in version 7.9.1 caused by the memmove function, which fails to sanitize user-controlled input. It allows an attacker to write arbitrary kernel memory and achieve privilege escalation
- CVE-2025-0287: A null pointer dereference vulnerability in version 7.9.1 caused by the absence of a valid MasterLrp structure in the input buffer. It allows an attacker to execute arbitrary kernel code for privilege escalation
- CVE-2025-0286: An arbitrary kernel memory write vulnerability in version 7.9.1 due to improper validation of user-supplied data lengths. This can allow attackers to execute arbitrary code on the victim’s machine
- CVE-2025-0285: An arbitrary kernel memory mapping vulnerability in version 7.9.1 caused by failure to validate user-supplied data lengths. Attackers can exploit the flaw to escalate privileges
Paragon Software has updated Partition Manager with a new driver, BioNTdrv.sys version 2.0.0, which users are urged to upgrade to.
