CVE-2025-0288

HIGH EXPLOITED RANSOMWARE

Paragon Software - Memory Corruption

Title source: llm

Exploitation Summary

CVE-2025-0288 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including MeisamEb, barhen12.

AI-analyzed exploit summary This PoC demonstrates a crash in BioNTDrv.sys by sending a malformed IOCTL request with a controlled destination address (0x4141414141414141) and length (0x300), likely triggering a memory corruption vulnerability (CVE-2025-0288). The code is a minimal, functional exploit that interacts with the vulnerable driver via DeviceIoControl.

Description

Various Paragon Software products contain an arbitrary kernel memory vulnerability within biontdrv.sys, facilitated by the memmove function, which does not validate or sanitize user controlled input, allowing an attacker the ability to write arbitrary kernel memory and perform privilege escalation.

Exploits (2)

nomisec WORKING POC 1 stars

by MeisamEb · local

https://github.com/MeisamEb/CVE-2025-0288

View Code ZIP pw:eip

This PoC demonstrates a crash in BioNTDrv.sys by sending a malformed IOCTL request with a controlled destination address (0x4141414141414141) and length (0x300), likely triggering a memory corruption vulnerability (CVE-2025-0288). The code is a minimal, functional exploit that interacts with the vulnerable driver via DeviceIoControl.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: BioNTDrv.sys (Windows driver)

No auth needed

Prerequisites: Access to the vulnerable driver (BioNTDrv.sys) · Local execution context on Windows

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by barhen12 · local

https://github.com/barhen12/CVE-2025-0288

View Code ZIP pw:eip

This PoC exploits a memmove vulnerability in BioNTdrv.sys by sending a crafted IOCTL request to trigger an arbitrary memory write. The code demonstrates the vulnerability by opening a handle to the device and sending a maliciously structured input to the driver.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: BioNTdrv.sys (version not specified)

No auth needed

Prerequisites: Access to the vulnerable driver (BioNTdrv.sys) · Ability to execute code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory

https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sys

Third Party Advisory

https://www.kb.cert.org/vuls/id/726882

Product

https://www.paragon-software.com/support/#patches

Scores

CVSS v3 7.8

EPSS 0.0010

EPSS Percentile 27.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-06-05

Ransomware Use Confirmed

Status published

Products (6)

paragon-software/paragon_backup_\&_recovery 15 - 17.39

paragon-software/paragon_disk_wiper 15 - 16

paragon-software/paragon_drive_copy 15 - 16

paragon-software/paragon_hard_disk_manager 15 - 17.39

paragon-software/paragon_migrate_os_to_ssd 4 - 5

paragon-software/paragon_partition_manager 15 - 17.39

Published Mar 03, 2025

Tracked Since Feb 18, 2026