cbcvebase.
CVE-2025-0288
published 2025-03-03

CVE-2025-0288: Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not…

PriorityP186high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.46%
36.5th percentile
Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.

Affected

14 ranges
VendorProductVersion rangeFixed in
msrccbl2_vim_9.0.1189-1_on_cbl_mariner_2.0
msrccm1_vim_9.0.1189-1_on_cbl_mariner_1.0
paragon-softwareparagon_backup_recovery15 – 17.39
paragon-softwareparagon_disk_wiper15 – 16
paragon-softwareparagon_drive_copy15 – 16
paragon-softwareparagon_hard_disk_manager15 – 17.39
paragon-softwareparagon_migrate_os_to_ssd4 – 5
paragon-softwareparagon_partition_manager15 – 17.39
paragon_softwarebackup_and_recovery15 – 17.39
paragon_softwaredisk_wiper15 – 16
paragon_softwaredrive_copy15 – 16
paragon_softwarehard_disk_manager15 – 17.39
paragon_softwaremigrate_os_to_ssd4 – 5
paragon_softwarepartition_manager15 – 17.39

Detection & IOCsextracted from sources · hover to see the quote

filenamebiontdrv.sys
  • CVE-2025-0288 is exploited in BYOVD (Bring Your Own Vulnerable Driver) attacks; monitor for loading of biontdrv.sys by non-Paragon processes or in unexpected contexts, especially when followed by privilege escalation to SYSTEM.
  • ·CVE-2025-0288 is one of five related vulnerabilities in Paragon Partition Manager (CVE-2025-0285 through CVE-2025-0289); all share the same vulnerable driver biontdrv.sys and have been exploited together in the same BYOVD campaigns.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.