CVE-2025-0289
published 2025-03-03CVE-2025-0289: Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.31%
22.7th percentile
Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paragon-software | paragon_backup_recovery | 15 – 17.39 | — |
| paragon-software | paragon_disk_wiper | 15 – 16 | — |
| paragon-software | paragon_drive_copy | 15 – 16 | — |
| paragon-software | paragon_hard_disk_manager | 15 – 17.39 | — |
| paragon-software | paragon_migrate_os_to_ssd | 4 – 5 | — |
| paragon-software | paragon_partition_manager | 15 – 17.39 | — |
| paragon_software | backup_and_recovery | 15 – 17.39 | — |
| paragon_software | disk_wiper | 15 – 16 | — |
| paragon_software | drive_copy | 15 – 16 | — |
| paragon_software | hard_disk_manager | 15 – 17.39 | — |
| paragon_software | migrate_os_to_ssd | 4 – 5 | — |
| paragon_software | partition_manager | 15 – 17.39 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-0289 involves the Paragon Partition Manager driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, enabling SYSTEM privilege escalation via BYOVD attacks ↗
- →CVE-2025-0289 (along with CVE-2025-0288, CVE-2025-0287, CVE-2025-0286, CVE-2025-0285) has been actively exploited by ransomware gangs in BYOVD attacks to gain Windows SYSTEM privileges ↗
- ·CVE-2025-0289 is one of five related Paragon Partition Manager vulnerabilities (CVE-2025-0285 through CVE-2025-0289); attribution of specific exploitation activity to this individual CVE versus the others in the cluster is not distinguished in the available sources ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7mf9-x65f-jwgf: Paragon Partition Manager version 17, both community and Business versions, contain an insecure kernel resource access vulnerability facilitated by th
ghsa_unreviewed·2025-03-03
CVE-2025-0289 [HIGH] CWE-20 GHSA-7mf9-x65f-jwgf: Paragon Partition Manager version 17, both community and Business versions, contain an insecure kernel resource access vulnerability facilitated by th
Paragon Partition Manager version 17, both community and Business versions, contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.
VulnCheck
Paragon Partition Manager MappedSystemVa Pointer Vulnerability
vulncheck·2025·CVSS 7.8
CVE-2025-0289 [HIGH] Paragon Partition Manager MappedSystemVa Pointer Vulnerability
Paragon Partition Manager MappedSystemVa Pointer Vulnerability
Various Paragon Software products contain an insecure kernel resource access vulnerability facilitated by the driver not validating the MappedSystemVa pointer before passing it to HalReturnToFirmware, which can allows an attacker the ability to compromise the service.
Affected: Paragon Software Partition Manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://kb.cert.org/vuls/id/726882; https://securelist.com/malware-report-q1-2025-pc-iot-statistics/116686/
No detection rules found.
No public exploits indexed.
Securelist
IT threat evolution in Q1 2025. Non-mobile statistics
blogs_securelist·2025-06-05
IT threat evolution in Q1 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
The quarter’s trends and highlights
Law enforcement success
Vulnerabilities and attacks, BYOVD, and EDR bypassing
Other developments
The most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Top 10 countries and territories attacked by ransomware Trojans
TOP 10 most common ransomware Trojan families
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Top 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats to macOS
TOP 10 countries and territories by share of attacked users
IoT threat statistics
TOP 10 threats delivered to IoT devices:
Geography of attacks on IoT hon
Securelist
Desktop and IoT threat statistics for Q1 2025
blogs_securelist·2025-06-05
Desktop and IoT threat statistics for Q1 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- Geography of threats to macOS
- IoT threat statistics
- TOP 10 threats delivered to IoT devices:
- Geography of attacks on IoT honeypots
- Attacks via web resources
- Countries and territories that serve as sources of web-based attacks: the TOP 10
- Countries and territories where users faced the greatest risk of online infection
- Local threats
- Countries and territories where users faced the highest risk of local infection
Authors
- AMR
IT threat evolution in Q1 2025. Non-mobile statistics
IT threat evolution in Q1 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kasper
Bleepingcomputer
Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
blogs_bleepingcomputer·2025-03-01·CVSS 5.1
[MEDIUM] Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
## Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
## Bill Toulas
Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
The vulnerable drivers were exploited in 'Bring Your Own Vulnerable Driver' (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.
"An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim's machine," explains a warning from CERT/CC.
"Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to ex
2025-03-03
Published
Exploited in the wild