{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/726882#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nThe Paragon Software Hard Disk Manager (HDM) product line contains a vulnerable driver titled BioNTdrv.sys. The driver, versions 10.1.X.Y and older, 1.0.0.0, 1.1.0.0, 1.3.0.0, 1.4.0.0, and 1.5.1.0, contain five vulnerabilities. These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine. Additionally, as the attack involves a Microsoft-signed  [Driver](https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/what-is-a-driver-), an attacker can leverage a [Bring Your Own Vulnerable Driver (BYOVD) ](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985) technique to exploit systems even if Paragon Software products are not installed. Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code. These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft's Vulnerable Driver Blocklist. \r\n\r\n### Description\r\n\r\nThe Paragon Software HDM is a series of tools from [Paragon Software](https://www.paragon-software.com/), available in both Community and Commercial versions, that allows users to manage partitions (individual sections) on a hard drive, create backups, copy drive contents, and wipe disks. These products include a kernel-level driver distributed as BioNTdrv.sys. The driver allows for a low-level access to the hard drive with elevated privileges to access and manage data as the kernel device.\r\n\r\nMicrosoft researchers have identified five vulnerabilities in Paragon Partition Manager version 17.9.1. These vulnerabilities, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1, allow attackers to achieve SYSTEM-level privilege escalation, which surpasses typical administrator permissions. The vulnerabilities also enable attackers to manipulate the driver via device-specific Input/Output Control (IOCTL) calls, potentially resulting in privilege escalation or system crashes (e.g., a Blue Screen of Death, or BSOD). Even if Paragon Partition Manager is not installed, attackers can install and misuse the vulnerable driver through the BYOVD method to compromise the target machine. The vulnerabilities are additionally present within versions 10.1.X.Y and older, 1.0.0.0, 1.1.0.0, and 1.4.0.0 of BioNTdrv.sys. \r\n\r\nIdentified Vulnerabilities:\r\n\r\n**CVE-2025-0288**\r\nVarious Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.\r\n\r\n**CVE-2025-0287**\r\nVarious Paragon Software products contain a null pointer dereference vulnerability within biontdrv.sys that is caused by a lack of a valid MasterLrp structure in the input buffer, allowing an attacker to execute arbitrary code in the kernel, facilitating privilege escalation.\r\n\r\n**CVE-2025-0286**\r\nVarious Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to execute arbitrary code on the victim machine.\r\n\r\n**CVE-2025-0289**\r\nVarious Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.\r\n\r\n**CVE-2025-0285**\r\nVarious Paragon Software products contain an arbitrary kernel memory mapping vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to perform privilege escalation exploits.\r\n\r\n### Impact\r\nAn attacker with local access to a target device can exploit specific BioNTdrv.sys versions to escalate privileges to SYSTEM level or cause a DoS scenario. Microsoft has observed this driver being used in ransomware attacks, leveraging the BYOVD technique for privilege escalation prior to further malicious code execution. \r\n\r\n### Solution\r\n\r\nParagon Software has updated the affected products and released a new driver, [BioNTdrv.sys version 2.0.0](https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys), which addresses these vulnerabilities. To update your Paragon product, follow the guidance listed here: https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys. Users can verify if their Vulnerable Driver Block list is enabled under Windows Security settings. On Windows 11 devices, this block list is enabled by default. Users can learn more about the Vulnerable Driver Block list here: [Microsoft Vulnerable Driver Blocklist Information](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules).  Enterprise organizations should ensure the block list is applied for their user base to prevent potential loading of affected vulnerable BioNTdrv.sys versions by TAs. This will not prevent exploitation by TAs who already have administrator access. \r\n\r\n### Acknowledgements\r\nThanks to Microsoft for reporting the vulnerability.This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"All vulnerabilities were fixed in BioNTdrv.sys driver version 2.0.0 for all our Hard Disk Manager family products starting version 17.45.0:\r\nParagon Hard Disk Manager 17 all editions.\r\nParagon Partition Manager Community Edition.\r\nParagon Backup and Recovery Community Edition.\r\n\r\nAlso we provide a standalone security patch for 64-bit versions of Windows 10, Windows 11, Windows Server 2016/2019/2022/2025 to update driver version in all our product families with marketing versions 16 and 17. This patch is freely available on our website https://www.paragon-software.com/support/#patches","title":"Vendor statment from Paragon Software"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/726882"},{"url":"https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys","summary":"https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys"},{"url":"https://www.paragon-software.com/support/#patches","summary":"https://www.paragon-software.com/support/#patches"}],"title":"Paragon Software Hard Disk Manager product line contains five memory vulnerabilities within its BioNTdrv.sys driver that allow for privilege escalation and denial-of-service (DoS) attacks","tracking":{"current_release_date":"2025-04-14T20:19:48+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#726882","initial_release_date":"2025-03-01 00:00:00+00:00","revision_history":[{"date":"2025-04-14T20:19:48+00:00","number":"1.20250414201948.12","summary":"Released on 2025-04-14T20:19:48+00:00"}],"status":"final","version":"1.20250414201948.12"}},"vulnerabilities":[{"title":"Various Paragon Software products contain an arbitrary kernel memory mapping vulnerability within biontdrv.","notes":[{"category":"summary","text":"Various Paragon Software products contain an arbitrary kernel memory mapping vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to perform privilege escalation exploits."}],"cve":"CVE-2025-0285","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#726882"}],"product_status":{"known_affected":["CSAFPID-55be4b18-34c5-11f1-8422-122e2785dc9f"]}},{"title":"Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.","notes":[{"category":"summary","text":"Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to execute arbitrary code on the victim machine."}],"cve":"CVE-2025-0286","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#726882"}],"product_status":{"known_affected":["CSAFPID-55beae14-34c5-11f1-8422-122e2785dc9f"]}},{"title":"Various Paragon Software products contain a null pointer dereference vulnerability within biontdrv.","notes":[{"category":"summary","text":"Various Paragon Software products contain a null pointer dereference vulnerability within biontdrv.sys that is caused by a lack of a valid MasterLrp structure in the input buffer, allowing an attacker to execute arbitrary code in the kernel, facilitating privilege escalation."}],"cve":"CVE-2025-0287","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#726882"}],"product_status":{"known_affected":["CSAFPID-55bf4194-34c5-11f1-8422-122e2785dc9f"]}},{"title":"Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.","notes":[{"category":"summary","text":"Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation."}],"cve":"CVE-2025-0288","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#726882"}],"product_status":{"known_affected":["CSAFPID-55bfa4b8-34c5-11f1-8422-122e2785dc9f"]}},{"title":"Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.","notes":[{"category":"summary","text":"Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service."}],"cve":"CVE-2025-0289","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#726882"}],"product_status":{"known_affected":["CSAFPID-55bffecc-34c5-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Paragon Software","product":{"name":"Paragon Software Products","product_id":"CSAFPID-55be4b18-34c5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Paragon Software","product":{"name":"Paragon Software Products","product_id":"CSAFPID-55beae14-34c5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Paragon Software","product":{"name":"Paragon Software Products","product_id":"CSAFPID-55bf4194-34c5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Paragon Software","product":{"name":"Paragon Software Products","product_id":"CSAFPID-55bfa4b8-34c5-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Paragon Software","product":{"name":"Paragon Software Products","product_id":"CSAFPID-55bffecc-34c5-11f1-8422-122e2785dc9f"}}]}}