Ransomware operators have been observed deploying a vulnerable Paragon Hard Disk Manager driver in attacks and exploiting it to elevate their privileges to System.
The driver, Biontdrv.sys, which is part of Hard Disk Manager and other products that rely on it, such as Paragon Partition Manager and Backup and Recovery, contains five vulnerabilities that allow attackers to elevate privileges or cause a denial-of-service (DoS) condition.
“Additionally, as the attack involves a Microsoft-signed driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed,” a CERT/CC advisory reads.
The security defects include an arbitrary kernel memory bug (CVE-2025-0288), a null pointer dereference issue (CVE-2025-0287), an arbitrary kernel memory write flaw (CVE-2025-0286), an arbitrary kernel memory mapping bug (CVE-2025-0285), and an insecure kernel resource access vulnerability (CVE-2025-0289).
The flaws impact Biontdrv.sys versions 1.3.0 and 1.5.1 and were addressed with the release of version 2.0.0 of the driver. Paragon included the fixes in Hard Disk Manager version 17.45.0 and released a standalone security patch to resolve the bugs in older product versions based on Hard Disk Manager.
The patch, however, is only available for Windows 10, Windows 11, and Windows Server 2016, 2019, 2022, and 2025 devices, as older platform iterations are deemed unsafe.
According to CERT/CC, the exploitation of Biontdrv.sys in BYOVD attacks by ransomware groups was flagged by Microsoft, which last week added the vulnerable versions of the driver to its Vulnerable Driver Blocklist.
“After February 28, 2025 several features of Paragon Hard Disk Manager won’t be available if the fixed version of the BioNTdrv.sys driver is not installed,” Paragon warned last week.
Organizations and end-users are advised to update all impacted Paragon applications – including Hard Disk Manager, Partition Manager, Backup and Recovery, Drive Copy, Disk Wiper, and Migrate OS to SSD – or to apply the available security patch as soon as possible.
Related: Watch Now: Ransomware Resilience & Recovery Summit – All Sessions Available on Demand
Related: New Anubis Ransomware Could Pose Major Threat to Organizations
Related: CISA, FBI Warn of China-Linked Ghost Ransomware Attacks
Related: Ransomware Payments Dropped to $813 Million in 2024