Paragon Partition Manager driver zero-day leveraged in ransomware attacks

Ransomware operations have been exploiting an already addressed zero-day impacting the Paragon Partition Manager BioNTdrv.sys driver, tracked as CVE-2025-0289, to facilitate privilege escalation in Windows devices as part of Bring Your Own Vulnerable Driver attacks, BleepingComputer reports.

Such a flaw, which affects Paragon Partition Manager versions 17 and older, was discovered by Microsoft researchers alongside four other vulnerabilities, tracked as CVE-2025-0285 to CVE-2025-0288, which affect versions 7.9.1 and older, according to a CERT/CC warning. Additional details regarding the identities of the ransomware gangs were not provided but Scattered Spider, BlackByte, LockBit, and Lazarus Group are among the numerous groups launching BYOVD intrusions. While Microsoft has already prevented the loading of the vulnerable driver in Windows, organizations and other users leveraging the software have been urged to immediately upgrade to the latest version, which addresses the aforementioned issues. Activation of the Microsoft Vulnerable Driver Blocklist features was also noted to be crucial to prevent potential compromise.