Microsoft Vulnerabilities Report 2026: Critical Flaws Surge 101% as Azure and Dynamics 365 Face Increased Risk
Microsoft's 2026 Vulnerabilities Report reveals a dramatic 101% increase in critical vulnerabilities in 2025, reversing a decade-long decline and concentrating risk in Azure and Dynamics 365.

The cybersecurity landscape for Microsoft products presented a starkly mixed picture in 2025, according to the 13th annual Microsoft Vulnerabilities Report released by BeyondTrust. While the total number of disclosed vulnerabilities saw a modest 6% decrease, falling from 1,360 in 2024 to 1,273 in 2025, this topline figure masks a significant and concerning trend: critical vulnerabilities more than doubled, surging from 78 to 157 in the same period. This reversal of a decade-long decline in critical flaws signals a potential shift in the nature of threats facing Microsoft's vast ecosystem.
This dramatic increase in critical vulnerabilities, representing a 101% jump, is particularly alarming as these are the flaws most likely to enable remote, unauthenticated, or low-complexity full system compromise. The report highlights that organizations relying solely on CVSS scoring might be underestimating their exposure, as Microsoft's own severity ratings, which consider real-world exploitability, paint a more dire picture. The share of critical vulnerabilities within the total jumped from 5.74% in 2024 to over 12% in 2025, a significant concentration of risk that experts are flagging as a genuine structural change.
The primary drivers behind this surge appear to be Microsoft Azure and Dynamics 365, which experienced a ninefold increase in critical vulnerabilities, rising from just 4 in 2024 to 37 in 2025. This concentration of risk in Azure, the foundational layer for AI integrations, machine identities, and privileged workloads, is especially concerning given the increasing reliance on autonomous non-human identities. The report points to CVE-2025-55241, a critical Entra ID token-forgery flaw, as a prime example of how a single cloud-identity vulnerability could collapse trust boundaries with devastating speed, although it was patched by Microsoft without confirmed exploitation.
Microsoft Office also saw a significant uptick in vulnerabilities, with the total number more than tripling year-over-year, from 47 to 157. Crucially, critical Office vulnerabilities increased tenfold, from 3 to 31. Given Office's persistent role as a common initial access vector through malicious documents and macros, this spike directly impacts the calculus for defenders against phishing and document-based attacks. Vulnerabilities like CVE-2025-62557 and CVE-2025-62554, which combined memory corruption and type confusion to enable remote code execution via the file preview pane, exemplify the heightened risk.
Amidst these concerning trends, Microsoft Edge stands out as a success story. The browser saw a substantial 83% year-over-year decline in vulnerabilities, dropping to just 50 in 2025, with none classified as critical. This improvement is attributed to the ongoing hardening work on its Chromium-based architecture, demonstrating the potential for secure-by-design principles to yield tangible security benefits across Microsoft's product suite.
The report emphasizes that the sheer volume of vulnerabilities no longer tells the full story of risk. The shift towards more critical flaws, particularly within cloud infrastructure and widely used productivity suites, necessitates a more nuanced approach to vulnerability management. Defenders must prioritize based on severity and exploitability, paying close attention to the specific risk concentrations highlighted in the report.
BeyondTrust's analysis, which spans thirteen years of Microsoft security bulletins, provides a crucial longitudinal dataset for understanding these structural changes. The reversal of the long-term trend of decreasing critical vulnerabilities suggests that while Microsoft continues to invest in secure engineering and patching cadences, the evolving threat landscape and the complexity of modern software, especially in cloud and AI-driven environments, present new and intensified challenges.
This report serves as a critical call to action for security teams managing Microsoft environments. The doubling of critical vulnerabilities, coupled with their concentration in high-impact areas like Azure and Office, demands a reassessment of patching priorities and defensive strategies to mitigate the growing exposure window. The full report offers deeper technical insights and expert commentary for those seeking to navigate this complex security terrain.