cbcvebase.
CVE-2025-0289
published 2025-03-03

CVE-2025-0289: Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.31%
22.7th percentile
Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.

Affected

12 ranges
VendorProductVersion rangeFixed in
paragon-softwareparagon_backup_recovery15 – 17.39
paragon-softwareparagon_disk_wiper15 – 16
paragon-softwareparagon_drive_copy15 – 16
paragon-softwareparagon_hard_disk_manager15 – 17.39
paragon-softwareparagon_migrate_os_to_ssd4 – 5
paragon-softwareparagon_partition_manager15 – 17.39
paragon_softwarebackup_and_recovery15 – 17.39
paragon_softwaredisk_wiper15 – 16
paragon_softwaredrive_copy15 – 16
paragon_softwarehard_disk_manager15 – 17.39
paragon_softwaremigrate_os_to_ssd4 – 5
paragon_softwarepartition_manager15 – 17.39

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-0289 involves the Paragon Partition Manager driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, enabling SYSTEM privilege escalation via BYOVD attacks
  • CVE-2025-0289 (along with CVE-2025-0288, CVE-2025-0287, CVE-2025-0286, CVE-2025-0285) has been actively exploited by ransomware gangs in BYOVD attacks to gain Windows SYSTEM privileges
  • ·CVE-2025-0289 is one of five related Paragon Partition Manager vulnerabilities (CVE-2025-0285 through CVE-2025-0289); attribution of specific exploitation activity to this individual CVE versus the others in the cluster is not distinguished in the available sources

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.