- Microsoft Patches Paragon Partition Manager, after finding five faults in a nucleus level pilot
- One of the faults was actively used to drop the ransomware
- The driver can be mistreated even without the partition manager being installed
Pirates use a vulnerable Windows driver to increase privileges via Microsoft software, allowing possible ransomware attacks via zero days.
Microsoft confirmed the results when he added the pilot’s assigned version to his vulnerable pilot block list – and at the same time, he corrected five faults in the defective software and urged users to apply updates as soon as possible.
The faults have apparently been found in Biontdrv.sys, a nucleus level pilot for software called paragon partition manager. Cybercriminals that have already managed to obtain some access to a target termination point would use this driver (if the software is installed on the device), to drop it to obtain system privileges under Windows, used to mount ransomware attacks.
Checking the block list
“An attacker with local access to a device can use these vulnerabilities to increase privileges or cause a scenario of service denial (back) on the victim’s machine,” said CERT / CC. “In addition, as the attack involves a driver signed by Microsoft, an attacker can take advantage of the Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if the Paragon partition manager is not installed.”
Microsoft said that four of the flaws affected the versions of the PARAGON 7.9.1 and more partition manager, the fifth (CVE-2025-0298) impacting version 17 and more-which was also that which was apparently actively exploited in ransomware attacks.
From now on, users are invited to upgrade the software to the latest version, as it is also delivered with Biontdrv.sys version 2.0.0.
In addition to the software upgrading, users must also reveal if the block list is activated, going in the settings – Confidentiality and security – Windows Security – Device safety – Core Insulation – Microsoft Vulnerable Driver Blockist and ensure that it is activated.
Via Bleeping Compompute
