Critical Microsoft vulnerabilities double in yearly report
BeyondTrust has published the 13th edition of its annual Microsoft Vulnerabilities Report, which finds that critical Microsoft vulnerabilities doubled over the past year.
Based on publicly disclosed vulnerabilities in Microsoft security bulletins issued throughout 2025, the report points to a shift in the mix of flaws rather than a simple rise in overall volume.
Microsoft reported 1,273 total vulnerabilities in 2025, down 6% from 1,360 in 2024. But the number of critical flaws rose sharply, from 78 to 157, reversing what BeyondTrust described as a multi-year downward trend.
Elevation of Privilege vulnerabilities remained the largest category, accounting for 509 flaws, or 40% of the total. These vulnerabilities are closely watched because they can allow attackers to gain broader access inside systems after an initial breach.
James Maude, Field CTO at BeyondTrust, said the decline in overall vulnerabilities should not obscure the change in risk.
"Don't be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems," Maude said.
Cloud shift
The report identified sharp increases in critical vulnerabilities affecting Azure and Dynamics 365. Those products recorded 37 critical vulnerabilities, up from four a year earlier, a ninefold increase.
Office also saw a marked rise. Microsoft Office vulnerabilities climbed to 157, more than triple the previous year's total, while the number classified as critical increased tenfold.
Not every Microsoft product line moved in the same direction. Edge vulnerabilities fell to 50 in 2025, an 83% year-on-year drop, suggesting risk levels varied widely across the company's software estate.
The report argues that the figures reflect a broader shift in how vulnerabilities are discovered and exploited. It points to the use of artificial intelligence by defenders and attackers alike, enabling faster analysis of patches and quicker efforts to turn disclosed weaknesses into working exploits.
BeyondTrust also noted that some emerging risks may not be fully reflected in common vulnerability counts. It highlighted over-privileged AI agents, long-lived machine credentials and identity misconfigurations as examples of issues that may sit outside standard CVE tracking while still posing material security concerns.
Identity focus
The concentration of Elevation of Privilege flaws reinforced the role of identity and access in Microsoft's security landscape, the report said. In practice, that means organisations may need to focus not only on patching software but also on limiting the access granted to users, systems and automated accounts.
Maude said the rise in cloud-related critical flaws shows where that concentration is becoming most visible.
"A ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap. The organisations that weather this are the ones treating every vulnerability and identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them," he said.
The report recommends faster patching, least-privilege access controls and an identity-led approach to security that covers both human and non-human accounts. It also urges organisations to focus on routes that can lead to privileged access rather than treating each software flaw in isolation.
Now in its 13th year, the Microsoft Vulnerabilities Report analyses trends across operating systems, cloud services and business applications using Microsoft's published security bulletins as its underlying data source.