CVE-2025-0286
published 2025-03-03CVE-2025-0286: Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate…
PriorityP184high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.36%
27.7th percentile
Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to execute arbitrary code on the victim machine.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_edk2_20230301gitf80f052277c8-37_on_azure_linux_3.0 | — | — |
| msrc | azl3_hvloader_1.0.1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_hvloader_1.0.1-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_cloud-hypervisor_30.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_hvloader_1.0.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_openssl_1.1.1k-21_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_qemu_6.2.0-24_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_rust_1.68.2-5_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_cloud-hypervisor_22.0-2_on_cbl_mariner_1.0 | — | — |
| msrc | cm1_openssl_1.1.1k-13_on_cbl_mariner_1.0 | — | — |
| msrc | cm1_rust_1.59.0-1_on_cbl_mariner_1.0 | — | — |
| paragon-software | paragon_backup_recovery | 15 – 17.39 | — |
| paragon-software | paragon_disk_wiper | 15 – 16 | — |
| paragon-software | paragon_drive_copy | 15 – 16 | — |
| paragon-software | paragon_hard_disk_manager | 15 – 17.39 | — |
| paragon-software | paragon_migrate_os_to_ssd | 4 – 5 | — |
| paragon-software | paragon_partition_manager | 15 – 17.39 | — |
| paragon_software | backup_and_recovery | 15 – 17.39 | — |
| paragon_software | disk_wiper | 15 – 16 | — |
| paragon_software | drive_copy | 15 – 16 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-0286 resides in biontdrv.sys (Paragon Partition Manager driver); monitor for suspicious loading of this driver as part of BYOVD attacks targeting Windows SYSTEM privilege escalation ↗
- →CVE-2025-0286 (along with CVE-2025-0288, CVE-2025-0287, CVE-2025-0285, CVE-2025-0289) has been actively exploited by ransomware gangs in BYOVD attacks to gain Windows SYSTEM privileges; hunt for ransomware precursor activity combined with vulnerable Paragon driver loads ↗
- ·The vulnerability affects the kernel driver biontdrv.sys in various Paragon Software products; the specific vulnerable driver version(s) are not enumerated in the available sources — verify affected product versions via vendor advisory before scoping detection ↗
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
vendor_msrc7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pcr-45mv-9gp3: Paragon Partition Manager version 7
ghsa_unreviewed·2025-03-03
CVE-2025-0286 [HIGH] CWE-787 GHSA-6pcr-45mv-9gp3: Paragon Partition Manager version 7
Paragon Partition Manager version 7.9.1 contains an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to execute arbitrary code on the victim machine.
VulnCheck
Paragon Software Products Arbitrary Kernel Memory Write Vulnerability
vulncheck·2025·CVSS 8.4
CVE-2025-0286 [HIGH] Paragon Software Products Arbitrary Kernel Memory Write Vulnerability
Paragon Software Products Arbitrary Kernel Memory Write Vulnerability
Various Paragon Software products contain an arbitrary kernel memory write vulnerability within biontdrv.sys that is caused by a failure to properly validate the length of user supplied data, which can allow an attacker to execute arbitrary code on the victim machine.
Affected: Paragon Software Hard Disk Manager/Partition Manager/Backup & Recovery/Drive Copy/Disk Wiper/Migrate OS to SSD
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/
Microsoft
X.400 address type confusion in X.509 GeneralName
vendor_msrc·2023-02-14·CVSS 7.4
CVE-2023-0286 [HIGH] CWE-843 X.400 address type confusion in X.509 GeneralName
X.400 address type confusion in X.509 GeneralName
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
openssl: openssl
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.m
No detection rules found.
No public exploits indexed.
Securelist
IT threat evolution in Q1 2025. Non-mobile statistics
blogs_securelist·2025-06-05
IT threat evolution in Q1 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
The quarter’s trends and highlights
Law enforcement success
Vulnerabilities and attacks, BYOVD, and EDR bypassing
Other developments
The most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 countries and territories attacked by ransomware Trojans
TOP 10 most common ransomware Trojan families
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Top 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats to macOS
TOP 10 countries and territories by share of attacked users
IoT threat statistics
TOP 10 threats delivered to IoT devices:
Geography of attacks on IoT hon
Securelist
Desktop and IoT threat statistics for Q1 2025
blogs_securelist·2025-06-05
Desktop and IoT threat statistics for Q1 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- Geography of threats to macOS
- IoT threat statistics
- TOP 10 threats delivered to IoT devices:
- Geography of attacks on IoT honeypots
- Attacks via web resources
- Countries and territories that serve as sources of web-based attacks: the TOP 10
- Countries and territories where users faced the greatest risk of online infection
- Local threats
- Countries and territories where users faced the highest risk of local infection
Authors
- AMR
IT threat evolution in Q1 2025. Non-mobile statistics
IT threat evolution in Q1 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kasper
Bleepingcomputer
Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
blogs_bleepingcomputer·2025-03-01·CVSS 5.1
[MEDIUM] Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
## Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
## Bill Toulas
Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.
"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," explains a warning from CERT/CC.
"Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to ex
2025-03-03
Published
Exploited in the wild