CVE-2025-0288
published 2025-03-03CVE-2025-0288: Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not…
PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.46%
36.5th percentile
Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl2_vim_9.0.1189-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_vim_9.0.1189-1_on_cbl_mariner_1.0 | — | — |
| paragon-software | paragon_backup_recovery | 15 – 17.39 | — |
| paragon-software | paragon_disk_wiper | 15 – 16 | — |
| paragon-software | paragon_drive_copy | 15 – 16 | — |
| paragon-software | paragon_hard_disk_manager | 15 – 17.39 | — |
| paragon-software | paragon_migrate_os_to_ssd | 4 – 5 | — |
| paragon-software | paragon_partition_manager | 15 – 17.39 | — |
| paragon_software | backup_and_recovery | 15 – 17.39 | — |
| paragon_software | disk_wiper | 15 – 16 | — |
| paragon_software | drive_copy | 15 – 16 | — |
| paragon_software | hard_disk_manager | 15 – 17.39 | — |
| paragon_software | migrate_os_to_ssd | 4 – 5 | — |
| paragon_software | partition_manager | 15 – 17.39 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-0288 is exploited in BYOVD (Bring Your Own Vulnerable Driver) attacks; monitor for loading of biontdrv.sys by non-Paragon processes or in unexpected contexts, especially when followed by privilege escalation to SYSTEM. ↗
- ·CVE-2025-0288 is one of five related vulnerabilities in Paragon Partition Manager (CVE-2025-0285 through CVE-2025-0289); all share the same vulnerable driver biontdrv.sys and have been exploited together in the same BYOVD campaigns. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qqm4-w34f-whgp: Paragon Partition Manager version 7
ghsa_unreviewed·2025-03-03
CVE-2025-0288 [HIGH] CWE-131 GHSA-qqm4-w34f-whgp: Paragon Partition Manager version 7
Paragon Partition Manager version 7.9.1 contains an arbitrary kernel memory vulnerability facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.
VulnCheck
Paragon Software Products biontdrv.sys memmove Function Privilege Escalation
vulncheck·2025·CVSS 7.8
CVE-2025-0288 [HIGH] Paragon Software Products biontdrv.sys memmove Function Privilege Escalation
Paragon Software Products biontdrv.sys memmove Function Privilege Escalation
Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.
Affected: Paragon Software Hard Disk Manager/Partition Manager/Backup & Recovery/Drive Copy/Disk Wiper/Migrate OS to SSD
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/
Exploi
Microsoft
Heap-based Buffer Overflow in vim/vim
vendor_msrc·2023-01-10·CVSS 7.8
CVE-2023-0288 [HIGH] CWE-122 Heap-based Buffer Overflow in vim/vim
Heap-based Buffer Overflow in vim/vim
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
@huntrdev: @huntrdev
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft
No detection rules found.
No public exploits indexed.
Securelist
IT threat evolution in Q1 2025. Non-mobile statistics
blogs_securelist·2025-06-05
IT threat evolution in Q1 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
The quarter’s trends and highlights
Law enforcement success
Vulnerabilities and attacks, BYOVD, and EDR bypassing
Other developments
The most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 countries and territories attacked by ransomware Trojans
TOP 10 most common ransomware Trojan families
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Top 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats to macOS
TOP 10 countries and territories by share of attacked users
IoT threat statistics
TOP 10 threats delivered to IoT devices:
Geography of attacks on IoT hon
Securelist
Desktop and IoT threat statistics for Q1 2025
blogs_securelist·2025-06-05
Desktop and IoT threat statistics for Q1 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- Geography of threats to macOS
- IoT threat statistics
- TOP 10 threats delivered to IoT devices:
- Geography of attacks on IoT honeypots
- Attacks via web resources
- Countries and territories that serve as sources of web-based attacks: the TOP 10
- Countries and territories where users faced the greatest risk of online infection
- Local threats
- Countries and territories where users faced the highest risk of local infection
Authors
- AMR
IT threat evolution in Q1 2025. Non-mobile statistics
IT threat evolution in Q1 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kasper
Bleepingcomputer
Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
blogs_bleepingcomputer·2025-03-01·CVSS 5.1
[MEDIUM] Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
## Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
## Bill Toulas
Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.
"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," explains a warning from CERT/CC.
"Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to ex
2025-03-03
Published
Exploited in the wild