Microsoft identifies five potentially harmful attacks against its own software.
It has been discovered that certain Windows drivers and software were allegedly used in zero-day attacks.
Microsoft has released patches for Paragon Partition Manager after identifying five vulnerabilities in a kernel-level driver. One of these flaws was actively being exploited to distribute ransomware, highlighting the severity of the issue. It's important to note that the vulnerable driver can be exploited even if the partition manager is not installed on the system.
Attackers are using a Windows driver that has vulnerabilities to escalate privileges through Microsoft software, which could facilitate ransomware attacks via zero-day exploits. Microsoft confirmed the existence of these vulnerabilities by adding the affected version of the driver to its list of vulnerable drivers, in addition to fixing the flaws and recommending that users apply the updates immediately.
The vulnerabilities were found in BioNTdrv.sys, a kernel-level driver associated with Paragon Partition Manager software. Cybercriminals who gain access to an endpoint can use this driver (if the software is present) or install it to gain system privileges on Windows, which are suitable for carrying out ransomware attacks.
According to CERT/CC, "an attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial of service (DoS) on the victim's machine." Furthermore, since the attack involves a driver signed by Microsoft, an attacker could use a technique known as Bring Your Own Vulnerable Driver (BYOVD) to exploit systems, even if Paragon Partition Manager is not installed.
Microsoft stated that four of the vulnerabilities affect versions 7.9.1 and earlier of Paragon Partition Manager, while the fifth, identified as CVE-2025-0298, impacts version 17 and earlier, with the latter apparently being the one used in the ransomware attacks. Therefore, users are advised to update the software to the latest version, which includes BioNTdrv.sys version 2.0.0.
In addition to updating, users are advised to check if the block list is enabled. To do this, they should go to Settings - Privacy and security - Windows Security - Device security - Core isolation - Microsoft vulnerable driver block list and make sure it is enabled.
