According to BleepingComputer , Microsoft has added the BioNTdrv.sys driver to the block list due to the discovery of security vulnerabilities that can be exploited by hackers. The vulnerabilities were found in a kernel-level driver in the Paragon Partition Manager software. Hackers can exploit this driver to gain system-level control on Windows, thereby deploying ransomware attacks. If this software is already installed on the target device, attackers can take advantage of the existing vulnerability. Conversely, they can also install this driver to infiltrate the system in their own way.

According to CERT/CC, these vulnerabilities allow an attacker with local access to the device to escalate privileges or cause a denial of service (DoS) condition. In particular, because the BioNTdrv.sys driver is digitally signed by Microsoft, an attacker can use the "Bring Your Own Vulnerable Driver" (BYOVD) technique, which leverages legitimate but vulnerable drivers to exploit the system.

Microsoft said four of the five vulnerabilities affect Paragon Partition Manager versions 7.9.1 and earlier, while the fifth (CVE-2025-0298) affects versions 17 and earlier, which is also the vulnerability that has been actively exploited in recent ransomware attacks.

To mitigate the risk, Microsoft recommends that users upgrade to the latest version of the software, which includes the fixed BioNTdrv.sys 2.0.0. In addition to updating the software, users should also check and enable Microsoft's vulnerable driver blocklist by going to Settings > Privacy and Security > Windows Security > Device Security > Core Isolation > Microsoft Vulnerable Driver Blocklist and making sure it is enabled.