cbcvebase.
CVE-2025-0287
published 2025-03-03

CVE-2025-0287: Various Paragon Software products contain a null pointer dereference vulnerability within biontdrv.sys that is caused by a lack of a valid MasterLrp structure…

PriorityP185medium5.1CVSS 3.1
AVLACLPRNUINSUCLILAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.34%
26.2th percentile
Various Paragon Software products contain a null pointer dereference vulnerability within biontdrv.sys that is caused by a lack of a valid MasterLrp structure in the input buffer, allowing an attacker to execute arbitrary code in the kernel, facilitating privilege escalation.

Affected

12 ranges
VendorProductVersion rangeFixed in
paragon-softwareparagon_backup_recovery15 – 17.39
paragon-softwareparagon_disk_wiper15 – 16
paragon-softwareparagon_drive_copy15 – 16
paragon-softwareparagon_hard_disk_manager15 – 17.39
paragon-softwareparagon_migrate_os_to_ssd4 – 5
paragon-softwareparagon_partition_manager15 – 17.39
paragon_softwarebackup_and_recovery15 – 17.39
paragon_softwaredisk_wiper15 – 16
paragon_softwaredrive_copy15 – 16
paragon_softwarehard_disk_manager15 – 17.39
paragon_softwaremigrate_os_to_ssd4 – 5
paragon_softwarepartition_manager15 – 17.39

Detection & IOCsextracted from sources · hover to see the quote

filenamebiontdrv.sys
  • CVE-2025-0287 is a null pointer dereference in biontdrv.sys (Paragon Partition Manager driver) triggered when the input buffer lacks a valid MasterLrp structure; exploited in BYOVD attacks to gain Windows SYSTEM privileges by ransomware gangs.
  • CVE-2025-0287 (along with CVE-2025-0288, CVE-2025-0286, CVE-2025-0285, CVE-2025-0289) was actively exploited by ransomware gangs in BYOVD (bring your own vulnerable driver) attacks to gain Windows SYSTEM privileges; monitor for loading of the vulnerable biontdrv.sys driver by non-Paragon processes.
  • ·CVE-2025-0287 is one of five related vulnerabilities in Paragon Partition Manager (CVE-2025-0285 through CVE-2025-0289); all share the same vulnerable driver biontdrv.sys and were exploited together in BYOVD campaigns.

CVSS provenance

nvdv3.15.1MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.