- Microsoft Patches Paragon Partition Manager, after finding five defects in a core level controller
- One of the defects was actively used to drop ransomware
- The controller can be abused even without the partition administrator being installed
Computer pirates are using a vulnerable Windows controller to increase privileges through Microsoft software, allowing possible ransomware attacks through zero days.
Microsoft confirmed the findings when he added the affected version of the controller to his list of vulnerable controller blocks, and at the same time, poured five failures in the defective software and urged users to apply updates as soon as possible.
Apparently, the defects were found at BIOTDRV.SYS, a core level controller for software called Paragon Partition Manager. Cybercriminals who have already obtained some access point would use this controller (if the software is installed on the device), or leave it, to obtain privileges of the system in Windows, used to assemble ransomware attacks.
Verify the block list
“An attacker with local access to a device can exploit these vulnerabilities to increase privileges or cause a scenario of denial of service (two) in the victim’s machine,” said Cert/CC. “In addition, as the attack involves a controller signed by Microsoft, an attacker can take advantage of a technique of bringing his own vulnerable driver (Byovd) to exploit the systems even if Paragon Partition Manager is not installed.”
Microsoft said that four of the faults affected the versions of Paragon Partition Manager 7.9.1 and more, with the fifth (CVE-2025-0298) that impacted version 17 and more, which was also the one that apparently was actively exploited in ransomware attacks.
Now, users are urged to update the software to the latest version, since it also comes with biontdrv.sys version 2.0.0.
In addition to updating the software, users must also verify whether the block list is enabled, going to configuration – privacy and safety – Windows Security – Device Security – Core Aislation – Microsoft vulnerable WhoPlist and making sure it is activated.
Through Bleepingcomputer
