cbcvebase.
CVE-2025-0286
published 2025-03-03

CVE-2025-0286: Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate…

PriorityP184high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.36%
27.7th percentile
Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to execute arbitrary code on the victim machine.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
msrcazl3_edk2_20230301gitf80f052277c8-37_on_azure_linux_3.0
msrcazl3_hvloader_1.0.1-2_on_azure_linux_3.0
msrcazl3_hvloader_1.0.1-4_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_rust_1.75.0-14_on_azure_linux_3.0
msrcazl3_rust_1.86.0-1_on_azure_linux_3.0
msrccbl2_cloud-hypervisor_30.0-2_on_cbl_mariner_2.0
msrccbl2_hvloader_1.0.1-2_on_cbl_mariner_2.0
msrccbl2_openssl_1.1.1k-21_on_cbl_mariner_2.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_qemu_6.2.0-24_on_cbl_mariner_2.0
msrccbl2_reaper_3.1.1-6_on_cbl_mariner_2.0
msrccbl2_rust_1.68.2-5_on_cbl_mariner_2.0
msrccm1_cloud-hypervisor_22.0-2_on_cbl_mariner_1.0
msrccm1_openssl_1.1.1k-13_on_cbl_mariner_1.0
msrccm1_rust_1.59.0-1_on_cbl_mariner_1.0
paragon-softwareparagon_backup_recovery15 – 17.39
paragon-softwareparagon_disk_wiper15 – 16
paragon-softwareparagon_drive_copy15 – 16
paragon-softwareparagon_hard_disk_manager15 – 17.39
paragon-softwareparagon_migrate_os_to_ssd4 – 5
paragon-softwareparagon_partition_manager15 – 17.39
paragon_softwarebackup_and_recovery15 – 17.39
paragon_softwaredisk_wiper15 – 16
paragon_softwaredrive_copy15 – 16

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-0286 resides in biontdrv.sys (Paragon Partition Manager driver); monitor for suspicious loading of this driver as part of BYOVD attacks targeting Windows SYSTEM privilege escalation
  • CVE-2025-0286 (along with CVE-2025-0288, CVE-2025-0287, CVE-2025-0285, CVE-2025-0289) has been actively exploited by ransomware gangs in BYOVD attacks to gain Windows SYSTEM privileges; hunt for ransomware precursor activity combined with vulnerable Paragon driver loads
  • ·The vulnerability affects the kernel driver biontdrv.sys in various Paragon Software products; the specific vulnerable driver version(s) are not enumerated in the available sources — verify affected product versions via vendor advisory before scoping detection

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
vendor_msrc7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.