Critical Microsoft Vulnerabilities Doubled in 2025, Report Finds
Microsoft's total vulnerability count dipped in 2025, but critical-severity flaws doubled year-over-year, driven by privilege escalation and identity abuse, according to BeyondTrust.
Microsoft disclosed 1,273 vulnerabilities in 2025, a slight decrease from 1,360 in 2024, but the number of critical-severity flaws doubled from 78 to 157, reversing a multi-year downward trend, according to the 2026 Microsoft Vulnerabilities Report by BeyondTrust. The report highlights a shift in attacker focus from initial access to post-exploitation techniques, with Elevation of Privilege vulnerabilities accounting for 40% of all CVEs and Information Disclosure flaws rising 73% year-over-year.
Attackers are increasingly targeting privilege escalation and identity abuse, particularly in Active Directory and Entra ID. A single misconfigured identity in Azure can provide attackers with tenant-wide access, as illustrated by CVE-2025-55241, a critical Entra ID flaw that allowed token forgery across tenants without leaving logs. The report emphasizes that privilege is where vulnerabilities become breaches, and threat actors are using legitimate credentials and Living Off the Land tactics to move laterally.
Cloud platforms saw a dramatic spike in critical vulnerabilities, with Azure and Dynamics 365 jumping from 4 to 37 critical flaws in a single year. These platforms are now central to business operations, handling identity management, automation, and control planes. A critical flaw in these environments can cripple entire workflows and collapse trust boundaries at machine speed.
On the endpoint and server side, Microsoft Windows vulnerability numbers declined, but critical counts remained high. Windows Server vulnerabilities increased to 780, with 50 classified as critical. Servers remain high-value targets because they often run with elevated privileges and host shared services. Productivity software also saw a surge: Microsoft Office vulnerabilities rose 234% year-over-year, from 47 to 157, with critical flaws jumping from 3 to 31.
The report underscores that patch management alone is insufficient. Organizations must prioritize vulnerabilities that enable privilege escalation, identity abuse, and lateral movement. This requires context, knowledge of exploits, and mappings to frameworks like MITRE ATT&CK, not just CVSS scores. The authors recommend auditing standing admin rights, treating service accounts and AI agents with the same scrutiny as human identities, and disabling the Windows preview pane, which was exploited in seven CVEs in 2025.
As AI agents become more prevalent, organizations lack the AI security posture management necessary for proper governance. The report concludes that the organizations ahead of this trend are not just patching faster but rethinking what privilege means in a cloud-first environment.