BeyondTrust has released the 13th edition of its annual Microsoft Vulnerabilities Report, revealing a critical shift in the vulnerability landscape: while total vulnerability volume appears to be stabilising, critical vulnerabilities have surged, indicating severity and exploitability of vulnerabilities are rapidly increasing.
The report, which provides an in-depth analysis of data from publicly issued Microsoft security bulletins published throughout 2025, highlights a shifting risk profile driven by AI-accelerated vulnerability discovery, expanding cloud adoption, and increasingly sophisticated attacker strategies targeting identity and privilege.
“Don’t be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing; it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems,” said James Maude, Field CTO at BeyondTrust.
“A ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap. The organisations that weather this are the ones treating every vulnerability and identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them.”
Key highlights from the report: A surface-level decline masks a deeper shift in risk
Microsoft reported 1,273 total vulnerabilities, a 6% decrease from 1,360 in 2024
At first glance, this decline suggests improvement, potentially reflecting Microsoft’s continued investment in security is maintaining control, despite a rapidly expanding attack surface. However, it may also indicate that traditional vulnerability tracking is no longer capturing the full picture, particularly as AI-driven systems, non-human identities (NHIs), and complex cloud architectures introduce risks that don’t always map cleanly to CVEs.
At the same time:
- Critical vulnerabilities doubled year-over-year, rising from 78 to 157, reversing a multi-year downward trend.
- Elevation of Privilege (EoP) vulnerabilities accounted for 40% (509) of all reported vulnerabilities, reinforcing their role as the most direct path for attackers to escalate access, move laterally, and compromise critical systems, and underscoring the continued importance of identity and privilege in modern attack chains.
Cloud and enterprise platforms drive critical risk expansion
The report found sharp increases in critical vulnerabilities across key Microsoft platforms that had previously seen declining vulnerability activity:
- Microsoft Azure and Dynamics 365 experienced a 9x increase in critical vulnerabilities, rising from 4 to 37
- Microsoft Office vulnerabilities surged to 157, more than tripling year-over-year
- Critical vulnerabilities in Office increased 10x, signaling heightened risk in widely used productivity tools
While critical risk surged across cloud and enterprise platforms, other areas showed signs of improvement:
- Microsoft Edge vulnerabilities dropped significantly to 50 in 2025, an 83% decrease year-over-year
Security takeaways:
- AI is changing the vulnerability equation — AI is accelerating discovery for defenders, while also enabling attackers to analyse patches, reverse engineer fixes, and operationalise exploits faster than ever. This creates a widening gap between vulnerability disclosure and exploitation, where organisations may be exposed before traditional defences can respond.
- Hear from experts why CVE counts no longer tell the full story — Emerging risks, such as over-privileged AI agents, long-lived machine credentials, and identity misconfigurations, often do not appear in CVE counts, despite carrying significant impact, meaning traditional vulnerability tracking is no longer capturing the full picture.
Key priorities for organisations:
- Patch faster—but assume compromise is still possible
- Apply least privilege to limit the blast radius of an attack and create opportunities for detection and response
- Adopt identity-first security strategies that secure all identities, human and non-human
- Focus on paths to privilege, not just individual vulnerabilities
Discussion about this post