Byovd attacks use the Zero-Day in Paragon Partition Manager

Ransomware players were observed who take advantage of a zero-day bringing error (BYOVD) in the Paragon Partition Manager.

The Cert Coordination Center (Cert/CC) published a security update on Friday and revealed the news.

It claimed that Microsoft discovered BYOVD attacks that used CVE-2025-0289, an unsafe kernel resource accessibility in version 17 of the Biontdrv.Sys driver from Paragon Partition Manager.

The exploit enabled them to achieve an escalation at the system level in order to carry out further malicious code, as the note showed.

According to the Cert/CC, the zero-day is “failed to validate the pointer of the mapped pointer before it is passed on to the staler-gymnastics”.

Read more about Byovd: Ransomware increases annually despite Takedown's law enforcement

It is one of five weak points discovered by Microsoft.

“An attacker with local access to a device can take advantage of these security gaps to escalate privileges or to refuse a scenario (denial of service) on the victim's machine,” said the Council.

“Since the attack contains a Microsoft-Signed driver, an attacker can use a T-triple (BYOVD) to use systems, even if the Paragon Partition Manager is not installed.”

In the case of a Byovd attack, the opponents implant a legitimate but vulnerable driver to the system of a victim and then use it to obtain access to the core level, which means that they can then avoid or deactivate security measures.

The other weaknesses in the paragon partition managers are:

• CVE-2025-0288: Any vulnerability of the kernel storage in version 7.9.1, which is caused by the Memmove function, which does not adjust the user-controlled input. It enables an attacker to write arbitrary kernel memory and to achieve a privilege calculation
• CVE-2025-0287: A zero pointer Dereference S thesecing in version 7.9.1 caused by the lack of a valid Masterlrp structure in the input buffer. It enables an attacker to do any core code for the escalation for privileges
• CVE-2025-0286: An arbitrary kernel-memory description in version 7.9.1 due to improper validation of data lengths of user-provision data. This can enable the attackers to carry out any code on the victim's machine
• CVE-2025-0285: Any susceptibility to security for kernel memory assignment in version 7.9.1, which is caused by default in the validation of data lengths of the data supplied by the user. The attackers can take advantage of the error to escalate privileges

Paragon Software has updated Partition Manager with a new driver, Biontdrv.sys version 2.0.0, to the user up to date.