Microsoft discovers five potentially damaging attacks against its own software

Representational image of a cybercriminal

Image Credit: Pixabay (Image credit: Pixabay)

Microsoft patches Paragon Partition Manager, after finding five flaws in a kernel-level driver
One of the flaws was being actively used to drop ransomware
The driver can be abused even without the partition manager installed

Hackers are using a vulnerable Windows driver to escalate privileges through Microsoft software, allowing possible ransomware attacks via zero-days.

Microsoft confirmed the findings when it added the affected version of the driver to its Vulnerable Driver Blocklist - and at the same time, it patched five flaws in the flawed software and urged users to apply updates as soon as possible.

The flaws were apparently found in BioNTdrv.sys, a kernel-level driver for a piece of software called Paragon Partition Manager. Cybercriminals who already managed to gain some access to a target endpoint would either use this driver (if the software is installed on the device), or drop it, to gain SYSTEM privileges in Windows, used to mount ransomware attacks.

Checking the blocklist

"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," CERT/CC said. "Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. "

Microsoft said four of the flaws affected Paragon Partition Manager versions 7.9.1 and older, with the fifth one (CVE-2025-0298) impacting version 17 and older - which was also the one apparently being actively exploited in ransomware attacks.

Now, users are urged to upgrade the software to the latest version, since it also comes with BioNTdrv.sys version 2.0.0.

Besides upgrading the software, users should also double-check if the blocklist is enabled, by going to Settings - Privacy and Security - Windows Security - Device Security - Core Isolation - Microsoft Vulnerable Driver Blocklist and making sure it’s turned on.

Via BleepingComputer

This evil malware disables your security software, then goes in for the kill
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.