Microsoft kernel-level driver used by Paragon Partition Manager WARNING!

Surprise, surprise! Microsoft’s software has been found riddled with five vulnerabilities, allowing hackers to jack up their privileges and unleash ransomware via zero-day exploits.¹ And get this – at least one of those flaws (CVE-2025-0298) was already being weaponized in active ransomware attacks.¹ Told you so.

Key points about the attacks:

1. Oh, really? Even without Paragon Partition Manager, that vulnerable driver’s wide open to abuse. Shocking. (See source [1]).

2. SUPER I told you so. Local attackers can exploit these vulnerabilities to either jack up their privileges or completely crash the system. (See this TechRadar article for details.)

3. These attacks cleverly exploit a technique dubbed “Bring Your Own Vulnerable Driver” (BYOVD)¹. The sardonic implication, of course, is that the vulnerability isn’t in Microsoft’s software, but rather brought to it by the user.
   

Microsoft has taken steps to address these vulnerabilities:

1. Added the affected version of the driver to its Vulnerable Driver Blocklist1.
2. Patched the five flaws in the software1.
3. Urged users to upgrade to the latest version of Paragon Partition Manager, which includes BioNTdrv.sys version 2.0.01.

Users are advised to check if the blocklist is enabled by going to Settings – Privacy and Security – Windows Security – Device Security – Core Isolation – Microsoft Vulnerable Driver Blocklist and ensuring it’s turned on1.

Ah, yes, another day, another security breach. Turns out patching your systems and keeping your software up-to-date isn’t just a suggestion from your IT guy, huh? Who knew? This latest vulnerability just underlines the never-ending, Sisyphean struggle that is cybersecurity. So keep those updates rolling, folks, or you’ll be singing a different tune when the hackers come knocking.

Citations:

1. https://www.techradar.com/pro/security/microsoft-discovers-five-potentially-damaging-attacks-against-its-own-software
2. https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html
3. https://abnormalsecurity.com/blog/protecting-microsoft-accounts-top-5-cyberattack-tactics
4. https://www.pentestpeople.com/blog-posts/the-top-5-most-dangerous-cyber-attacks-of-all-time
5. https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
6. https://www.cybersecuritydive.com/news/microsoft-customers-ransomware-attacks-triple/730011/
7. https://www.morningbrew.com/stories/microsoft-developer-discovered-potential-risk
8. https://www.microsoft.com/en-us/wdsi/threats
9. https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

To check if your Windows driver is vulnerable, you can follow these steps:

1. Use the built-in driverquery tool to identify loaded drivers on your system. Open Command Prompt as an administrator and run: driverquery /v /fo csv > drivers.csv
   • Remember to never take advice from strangers on the internet
2. This will generate a CSV file with a list of all loaded drivers1.
3. Compare your driver list against Microsoft’s Recommended Driver Block List. You can find the latest list on Microsoft’s official website5.
4. Enable the Microsoft Vulnerable Driver Blocklist feature. On Windows 11, go to Settings > Privacy & Security > Windows Security > Device Security > Core Isolation Details and turn on “Memory Integrity”8.
5. Use Driver Verifier, a built-in Windows tool, to analyze drivers for potential issues:
   • Run “verifier.exe” as an administrator
   • Select “Create standard settings” and choose the drivers you want to verify
   • Restart your computer to begin the analysis2
6. Check if your driver is listed in the LOLDrivers project, which maintains an up-to-date list of vulnerable and malicious drivers3.
7. For advanced users, consider using specialized tools or scripts to analyze driver behavior, such as checking for imports of memory-mapped I/O APIs like MmMapIoSpace4.
8. Keep your system and drivers up to date, as Microsoft regularly updates its driver block list and patches known vulnerabilities57.

Remember that identifying vulnerable drivers can be complex, and these methods may not catch all potential issues. If you’re unsure about a driver’s safety, consult with a cybersecurity professional or the driver’s manufacturer.

Citations:

1. https://blog.fraktal.fi/detecting-malicious-drivers-on-windows-a752861cb30c
2. https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/use-driver-verifier-to-identify-issues
3. https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html
4. https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html
5. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
6. https://www.unknowncheats.me/forum/anti-cheat-bypass/513753-vulnerable-drivers.html
7. https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/
8. https://www.elevenforum.com/t/enable-or-disable-microsoft-vulnerable-driver-blocklist-in-windows-11.10031/