Login Sign Up

CVE-2025-0285

7.8 HIGH

📋 TL;DR

This vulnerability in Paragon Software's Hard Disk Manager product line allows attackers to map arbitrary kernel memory through the biontdrv.sys driver. By exploiting improper validation of user-supplied data length, local attackers can escalate privileges from user to kernel mode. All users of affected Paragon Hard Disk Manager products are at risk.

💻 Affected Systems

Products:
  • Paragon Hard Disk Manager
  • Paragon Backup & Recovery
  • Paragon Partition Manager
  • Other Paragon disk management products
Versions: All versions prior to security patches released in 2025
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all products in the Hard Disk Manager line that use the vulnerable biontdrv.sys driver. The driver loads by default with these products.

📦 What is this software?

Paragon Backup \& Recovery by Paragon Software

View all CVEs affecting Paragon Backup \& Recovery →

Paragon Disk Wiper by Paragon Software

View all CVEs affecting Paragon Disk Wiper →

Paragon Drive Copy by Paragon Software

View all CVEs affecting Paragon Drive Copy →

Paragon Hard Disk Manager by Paragon Software

View all CVEs affecting Paragon Hard Disk Manager →

Paragon Migrate Os To Ssd by Paragon Software

View all CVEs affecting Paragon Migrate Os To Ssd →

Paragon Partition Manager by Paragon Software

View all CVEs affecting Paragon Partition Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level access, enabling persistent malware installation, data theft, and disabling of security controls.

🟠

Likely Case

Local privilege escalation allowing attackers to gain SYSTEM/administrator privileges on compromised machines.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, though kernel vulnerabilities remain serious.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial access to the system.
🏢 Internal Only: HIGH - Once an attacker gains initial access (via phishing, malware, etc.), they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and ability to execute code. Kernel driver vulnerabilities are attractive targets for sophisticated attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released February 2025

Vendor Advisory: https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys

Restart Required: Yes

Instructions:

1. Visit Paragon Software support page. 2. Download latest security update for your product. 3. Install update. 4. Restart system. 5. Verify biontdrv.sys driver version is updated.

🔧 Temporary Workarounds

Disable vulnerable driver

windows

Prevent biontdrv.sys from loading by disabling the driver service

sc stop biontdrv
sc config biontdrv start= disabled

Remove driver file

windows

Delete or rename the vulnerable driver file

takeown /f C:\Windows\System32\drivers\biontdrv.sys
icacls C:\Windows\System32\drivers\biontdrv.sys /grant administrators:F
del C:\Windows\System32\drivers\biontdrv.sys

🧯 If You Can't Patch

  • Restrict local user privileges to prevent initial access
  • Implement application control to block execution of unauthorized programs

🔍 How to Verify

Check if Vulnerable:

Check if biontdrv.sys driver exists in C:\Windows\System32\drivers\ and verify version is older than February 2025 patches

Check Version:

powershell "Get-Item C:\Windows\System32\drivers\biontdrv.sys | Select-Object VersionInfo"

Verify Fix Applied:

Verify biontdrv.sys file version shows 2025 date or check Paragon product version is updated

📡 Detection & Monitoring

Log Indicators:

  • Driver load events for biontdrv.sys
  • Process creation with high privileges following user-level processes
  • Unexpected kernel driver installations

Network Indicators:

  • None - local exploit only

SIEM Query:

EventID=6 OR EventID=7 (Driver load) AND DriverName contains 'biontdrv'

📊 Metadata

CVE ID: CVE-2025-0285
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-1284
EPSS Score: 0.04% exploit probability (9.8th percentile)
Published: March 3, 2025
Last Updated: June 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0285, you might also want to check these:

CVE-2024-8887 10.0

CVE-2024-8887 is an authentication bypass vulnerability in CIRCUTOR Q-SMT firmware that allows attac...

Same vulnerability type (CWE-1284)
CVE-2025-55398 9.8

A vulnerability in mouse07410 asn1c through version 0.9.29 allows attackers to bypass INTEGER constr...

Same vulnerability type (CWE-1284)
CVE-2021-31556 9.8

This vulnerability in MediaWiki's OAuth extension allows attackers to cause denial of service or pot...

Same vulnerability type (CWE-1284)