BeyondTrust has released its 13th annual Microsoft Vulnerabilities Report, highlighting a sharp rise in critical security risks even as the overall number of vulnerabilities declined in 2025.
According to the report, Microsoft recorded 1,273 vulnerabilities in 2025, a 6% drop from 1,360 in 2024. However, critical vulnerabilities nearly doubled from 78 to 157 signaling a shift from volume to severity, with attackers increasingly targeting high-impact weaknesses.
A key concern identified is the dominance of Elevation of Privilege (EoP) vulnerabilities, which accounted for 40% (509) of all reported flaws. These vulnerabilities remain the primary pathway for attackers to escalate access, move laterally, and compromise critical systems, reinforcing identity as the central attack vector.
“Critical vulnerabilities doubled. This is a warning that risk is not decreasing it is concentrating around privilege.” – James Maude
The report also points to a significant rise in risks across cloud and enterprise platforms. Microsoft Azure and Microsoft Dynamics 365 saw a ninefold increase in critical vulnerabilities, while Microsoft Office vulnerabilities surged to 157, with critical issues increasing tenfold. In contrast, Microsoft Edge vulnerabilities dropped sharply by 83%, indicating improvements in some areas.
BeyondTrust attributes the evolving threat landscape to AI-driven vulnerability discovery, expanding cloud adoption, and increasingly sophisticated attack techniques. The findings suggest that traditional metrics such as CVE counts may no longer fully capture emerging risks, particularly those linked to non-human identities and AI systems.
The company emphasized that organizations must shift toward identity-first security strategies, focusing on limiting privilege, reducing attack paths, and assuming compromise even after patching.
Now in its 13th year, the report serves as a key benchmark for security professionals, offering insights into how vulnerability trends are evolving across operating systems, cloud environments, and enterprise applications in an increasingly AI-driven threat landscape.
