Wilson's Media

A Tech & Gaming Blog

Microsoft discovers five potentially damaging attacks against its own software

  • Microsoft patches Paragon Partition Manager, after finding five flaws in a kernel-level driver
  • One of the flaws was being actively used to drop ransomware
  • The driver can be abused even without the partition manager installed

Hackers are using a vulnerable Windows driver to escalate privileges through Microsoft software, allowing possible ransomware attacks via zero-days.

Microsoft confirmed the findings when it added the affected version of the driver to its Vulnerable Driver Blocklist – and at the same time, it patched five flaws in the flawed software and urged users to apply updates as soon as possible.

The flaws were apparently found in BioNTdrv.sys, a kernel-level driver for a piece of software called Paragon Partition Manager. Cybercriminals who already managed to gain some access to a target endpoint would either use this driver (if the software is installed on the device), or drop it, to gain SYSTEM privileges in Windows, used to mount ransomware attacks.

Checking the blocklist

“An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim’s machine,” CERT/CC said. “Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. “

Microsoft said four of the flaws affected Paragon Partition Manager versions 7.9.1 and older, with the fifth one (CVE-2025-0298) impacting version 17 and older – which was also the one apparently being actively exploited in ransomware attacks.

Now, users are urged to upgrade the software to the latest version, since it also comes with BioNTdrv.sys version 2.0.0.

Besides upgrading the software, users should also double-check if the blocklist is enabled, by going to Settings – Privacy and Security – Windows Security – Device Security – Core Isolation – Microsoft Vulnerable Driver Blocklist and making sure it’s turned on.

Via BleepingComputer

You might also like


Source

Microsoft patches Paragon Partition Manager, after finding five flaws in a kernel-level driver One of the flaws was being actively used to drop ransomware The driver can be abused even without the partition manager installed Hackers are using a vulnerable Windows driver to escalate privileges through Microsoft software, allowing possible…

Tags: ,
Previous Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Archives