Access our demo library to view BeyondTrust products in action.
Learn More Learn MoreComplete your PAM journey with detailed guidance, hands-on capability checklists, and more.
Learn More Learn MoreLearn why Gartner® has named BeyondTrust as a PAM Leader once again.
Learn More Learn MoreExplore how customers are using our solutions to advance security and productivity.
Learn More Learn MoreOffering a wide array of services and benefits tailored to your specific needs
Learn More Learn MoreLearn how BeyondTrust solutions protect companies from cyber threats.
Learn More Learn MoreAccess our demo library to view BeyondTrust products in action.
Learn More Learn MoreIn this blog, we’ll break down some of the most noteworthy findings from the report, explore key trends in Microsoft’s vulnerability landscape, and share actionable insights to help security teams fortify their defenses against emerging threats.
If you only look at the total Microsoft vulnerability volume this year, you might assume that we are entering a period of predictable stability. But as BeyondTrust’s 13th annual Microsoft Vulnerabilities Report reveals, surface-level findings can be deceptive.
This year’s theme, “The Ghost in the Machine,” highlights a significant shift for security teams. While overall vulnerability counts dipped by about 6%, critical severity risks doubled over the past 12 months. At the same time, the rapid rise of autonomous AI agents and machine identities has quietly fractured traditional trust boundaries, creating complex lateral movement paths that traditional patch management cannot solve alone.
In this blog, we’ll break down the most significant findings from this year’s report, dissect the shifting vulnerability landscape across core Microsoft product lines, and outline actionable security strategies to help your organization take proactive action for securing Microsoft environments, and beyond.
The annual Microsoft Vulnerabilities Report compiles and analyzes a full year of Microsoft “Patch Tuesday” data to provide a holistic view of enterprise software security trends.
Because data is only part of the story, our annual report pairs the numbers with deep-dive strategic commentary from an elite panel of global cybersecurity experts, including Jane Frankland, MBE (Founder of the IN Security Movement, CEO of KnewStart, and best-selling author), Sami Laiho (Senior Technical Fellow at Adminize and Microsoft MVP), David (DJ) Morimanno (Field CTO at Xalient), and many more. Together, these insights offer organizations a roadmap for bridging the gap between vulnerability remediation and identity security infrastructure.
The headline number shows that total Microsoft vulnerabilities fell slightly from 1,360 in 2024 to 1,273 in 2025. While a 6% decline represents an “average” year of volume stability, severity tells a much louder story.
Under Microsoft’s Security Update Severity Rating System, which ranks vulnerabilities by their worst theoretical outcome, critical vulnerabilities doubled, jumping from 78 to 157. This stark increase represents a major departure from a multi-year decline in critical flaws.
It’s also important to note that a few years ago, Microsoft transitioned from scoring vulnerabilities with its proprietary severity rating system to the most current National Vulnerabilities Database (NVD) Common Vulnerability Scoring System (CVSS) framework. NVD CVSS metrics, however, only registered a modest 8% increase in critical vulnerabilities, highlighting the need for defenders to look at contextual risk over raw technical scores alone.
For multiple years running, Elevation of Privilege (EoP) remains the dominant vulnerability category, accounting for 40% (509) of all vulnerabilities recorded. Remote Code Execution (RCE) is the second most prevalent vulnerability category.
This consistent pattern underscores a fundamental truth: attackers are not just looking for initial access; they want the power to move laterally. Once a foothold is established, escalating privilege to execute commands and pose as a trusted identity is the fastest path to business disruption.
Breaking the data down by product lines reveals massive shifts in risk allocation across the Microsoft estate:
Microsoft Office: Total Office vulnerabilities increased 234% year-over-year (from 47 to 157), while critical vulnerabilities experienced a 10x increase (from 3 to 31).
Azure & Dynamics 365: While total cloud vulnerabilities plateaued at 69 in 2025, critical vulnerabilities hit a record high, rising from 4 to 37.
Microsoft Copilot: Two critical vulnerabilities, CVE-2025-32711 (EchoLeak) and CVE-2025-5928, demonstrated how attackers can take advantage of emerging AI technologies, using malicious prompts.
Windows Server: Total Windows Server vulnerabilities climbed 14% to 780, while critical vulnerabilities increased by 16%.
Windows Desktop: 612 vulnerabilities (36 of which were critical) were recorded, showing a persistent endpoint attack surface.
Microsoft Edge: On a positive note, Microsoft Edge vulnerabilities reduced by 83%, dropping from 292 to 50.
This year’s findings, combined with broader industry trends such as the rapid adoption of non-human identities (NHIs)—including machine identities, AI agents, and more—highlight several important lessons for security leaders.
The fastest path to impact for modern threat actors is to quietly escalate privilege and operate as a trusted identity. And as identities continue to multiply across today’s organizations, the risk associated with them only continues to grow.
BeyondTrust’s Phantom Labs™ research team found that autonomous AI agents and machine identities are outpacing human accounts and becoming the ultimate privilege amplifiers. Because these NHIs are often deployed with excessive standing access, they are a goldmine for attackers.
This year’s reported spike in Azure vulnerabilities further reinforces this risk. As Jane Frankland, MBE, Founder of the IN Security Movement, CEO of KnewStart, and best-selling author, explains:
"AI agents inherit identity, access, and privilege... The Azure critical vulnerability spike matters here as this is the infrastructure layer where AI services live, authenticate, and interact with your data. A near-10x increase in critical vulnerabilities in that environment, combined with ungoverned machine identities operating autonomously within it, is a converging risk, not a theoretical one."
Enforcing the principle of least privilege (PoLP) is non-negotiable to prevent unauthorized execution or lateral movement. NHIs are no exception, and should be discovered and protected just like any human identity.
This year’s report also revealed the extent of risk built into the infrastructure itself—not just vulnerabilities caused by a simple user error or misconfiguration. CVE-2025-55241 is a prime example called out in this report, as it would have allowed attackers to forge tokens across any Entra ID tenant without leaving logs, if used in an attack.
Vulnerabilities like this one prove that legacy trust boundaries are fracturing silently, reminding us that it’s more important than ever to treat identities and identity infrastructure as a critical attack surface.
According to David (DJ) Morimanno, Field CTO at Xalient:
"The ultimate factor here is trust... Zero Trust matters because modern defense is no longer about assuming trust and then reacting. It is about continuously validating trust, constraining privilege, and governing every identity (human and non-human)...That is the lesson this report should leave with every security leader."
While patching continues to be an essential security practice, this year’s report is a stark reminder that it’s no longer enough on its own. Vulnerabilities and exploits related to AI, including risks within Microsoft Copilot, are often not assigned a CVE or patch to deploy. Plus, as the data in this report shows, vulnerabilities are increasingly impacting the foundational systems that run today’s businesses.
Because cloud environments are so crucial to today’s organizations, the spike in critical cloud vulnerabilities seen in this year’s report directly points to widespread risk across business operations. Additionally, Windows Server vulnerabilities climbed upwards in this report: a significant shift because servers run shared services, form core infrastructure, and frequently operate with high privilege and broad connectivity.
With so much at stake, businesses can’t afford to wait until a vulnerability is discovered and patched. Instead, proactive approaches such as privilege reduction are paramount.
According to Sami Laiho, Senior Technical Fellow at Adminize and Microsoft MVP:
“The report correctly emphasizes that patching remains essential, but it is no longer sufficient. In a landscape where zero days, identity abuse, and AI-driven attack paths are increasingly common, organizations must assume that compromise will occur. The question is no longer ‘can we prevent exploitation?’ but rather, ‘what happens when it does’… From a strategic perspective, this means shifting focus from reactive vulnerability management to proactive privilege reduction.”
Relying entirely on patching or simple fixes is an inadequate defense strategy. Remediation must be paired with proactive architectural guardrails. Implement a multilayered defense-in-depth model built on these key report recommendations:
BeyondTrust offers a multifaceted identity security approach that spans PAM, ITDR, Secrets Management, and CIEM. Our Pathfinder Platform unites all these disciplines into a single console, offering cross-domain visibility of every human and non-human identity, a true least privilege model that supports zero trust across your entire IT estate, secure remote access controls that enable productivity without compromising on security, and so much more.
Because in today’s organizations, including those with Microsoft environments, teams need to go beyond patching to also focus on proactive controls that reduce blast radius and secure every identity, everywhere.
Learn more about this year’s findings and access exclusive commentary from leading cybersecurity experts in the full report.