BeyondTrust Reports Microsoft Vulnerabilities Decline, Yet Critical Vulnerabilities Surge 100%

BeyondTrust has unveiled the 13th edition of its annual Microsoft Vulnerabilities Report, highlighting a significant shift in the cybersecurity landscape. While the overall volume of reported vulnerabilities appears to be stabilizing, critical vulnerabilities have surged dramatically, indicating a concerning trend in the severity and exploitability of these risks.

The report analyzes data from Microsoft security bulletins published throughout 2025, revealing a changing risk profile influenced by AI-driven vulnerability discovery, increased cloud adoption, and more sophisticated attacker strategies focused on identity and privilege.

James Maude, Field CTO at BeyondTrust, emphasized the importance of understanding these trends. He stated, “Don’t be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing; it is concentrating, particularly around privilege. Elevation of Privilege accounted for 40% of all vulnerabilities this year because that is exactly what attackers need to access critical systems.”

Maude further noted the alarming ninefold increase in critical vulnerabilities within Azure and Dynamics 365, underscoring the need for organizations to treat every vulnerability and identity—whether human or machine—as a potential pathway to privilege in their most critical systems. He warned that merely patching vulnerabilities will not suffice; organizations must proactively shrink these pathways before attackers exploit them.

Key Highlights from the Report: A Surface-Level Decline Masks a Deeper Shift in Risk

Microsoft reported a total of 1,273 vulnerabilities, reflecting a 6% decrease from 1,360 in 2024. At first glance, this decline may suggest an improvement, potentially indicating that Microsoft’s ongoing investments in security are yielding positive results despite a rapidly expanding attack surface. However, this may also point to the inadequacies of traditional vulnerability tracking methods, especially as AI-driven systems, non-human identities (NHIs), and complex cloud architectures introduce risks that do not always align with Common Vulnerabilities and Exposures (CVEs).

The report reveals that:

• Critical vulnerabilities doubled year-over-year, rising from 78 to 157, reversing a multi-year downward trend.
• Elevation of Privilege (EoP) vulnerabilities constituted 40% (509) of all reported vulnerabilities, reinforcing their role as the most direct path for attackers to escalate access, move laterally, and compromise critical systems. This underscores the ongoing significance of identity and privilege in modern attack chains.

Cloud and Enterprise Platforms Drive Critical Risk Expansion

The report identifies sharp increases in critical vulnerabilities across key Microsoft platforms that had previously experienced declining vulnerability activity:

• Microsoft Azure and Dynamics 365 saw a ninefold increase in critical vulnerabilities, rising from 4 to 37.
• Microsoft Office vulnerabilities surged to 157, more than tripling year-over-year.
• Critical vulnerabilities in Office increased tenfold, indicating heightened risk in widely used productivity tools.

While critical risks surged across cloud and enterprise platforms, some areas showed signs of improvement:

• Microsoft Edge vulnerabilities dropped significantly to 50 in 2025, marking an 83% decrease year-over-year.

Security Takeaways

The report highlights several key takeaways for organizations navigating this evolving threat landscape:

• AI is changing the vulnerability equation: AI is accelerating discovery for defenders while also enabling attackers to analyze patches, reverse engineer fixes, and operationalize exploits more rapidly than ever. This creates a widening gap between vulnerability disclosure and exploitation, leaving organizations exposed before traditional defenses can respond.

• CVE counts no longer tell the full story: Emerging risks, such as over-privileged AI agents, long-lived machine credentials, and identity misconfigurations, often do not appear in CVE counts, despite their significant impact. This indicates that traditional vulnerability tracking methods are no longer capturing the complete picture.

Key Priorities for Organizations

To effectively manage these risks, organizations should prioritize the following strategies:

• Patch faster: Organizations must adopt a proactive approach to patching while assuming that compromise is still possible.
• Apply least privilege: Limiting access rights can reduce the blast radius of an attack and create opportunities for detection and response.
• Adopt identity-first security strategies: Securing all identities—human and non-human—is essential in today’s threat landscape.
• Focus on paths to privilege: Organizations should concentrate on identifying and mitigating pathways to privilege, rather than solely addressing individual vulnerabilities.

As the cybersecurity landscape continues to evolve, organizations must remain vigilant and adaptable to effectively manage the increasing complexity and severity of vulnerabilities.

Source: securitymea.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.