- Critical vulnerabilities doubled year-over-year, signaling rising risk severity as AI-driven discovery and expanding attack surfaces reshape the Microsoft security landscape
- Elevation of Privilege vulnerabilities accounted for 40% of all flaws, continuing to dominate threat actor pathways and reinforcing identity as the primary attack vector
- Azure and Dynamics 365 saw a 9x increase in critical vulnerabilities
ATLANTA, April 21, 2026 (GLOBE NEWSWIRE) — BeyondTrust, the global leader in privilege-centric identity security protecting Paths to Privilege™, today released the 13th edition of its annual Microsoft Vulnerabilities Report, revealing a critical shift in the vulnerability landscape: while total vulnerability volume appears to be stabilizing, critical vulnerabilities have surged, indicating that severity and exploitability of vulnerabilities are rapidly increasing.
The report, which provides an in-depth analysis of data from publicly issued Microsoft security bulletins published throughout 2025, highlights a shifting risk profile driven by AI-accelerated vulnerability discovery, expanding cloud adoption, and increasingly sophisticated attacker strategies targeting identity and privilege.
“Don’t be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems,” said James Maude, Field CTO at BeyondTrust.
“A ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap. The organizations that weather this are the ones treating every vulnerability and identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them.”
Key Highlights from the Report: A Surface-Level Decline Masks a Deeper Shift in Risk
- Microsoft reported 1,273 total vulnerabilities, a 6% decrease from 1,360 in 2024
At first glance, this decline suggests improvement, potentially reflecting that Microsoft’s continued investment in security is maintaining control, despite a rapidly expanding attack surface. However, it may also indicate that traditional vulnerability tracking is no longer capturing the full picture, particularly as AI-driven systems, non-human identities (NHIs), and complex cloud architectures introduce risks that don’t always map cleanly to CVEs.
At the same time:
- Critical vulnerabilities doubled year-over-year, rising from 78 to 157, reversing a multi-year downward trend.
- Elevation of Privilege (EoP) vulnerabilities accounted for 40% (509) of all reported vulnerabilities, reinforcing their role as the most direct path for attackers to escalate access, move laterally, and compromise critical systems, and underscoring the continued importance of identity and privilege in modern attack chains.
Cloud and Enterprise Platforms Drive Critical Risk Expansion
The report found sharp increases in critical vulnerabilities across key Microsoft platforms that had previously seen declining vulnerability activity:
- Microsoft Azure and Dynamics 365 experienced a 9x increase in critical vulnerabilities, rising from 4 to 37
- Microsoft Office vulnerabilities surged to 157, more than tripling year-over-year
- Critical vulnerabilities in Office increased 10x, signaling heightened risk in widely used productivity tools
While critical risk surged across cloud and enterprise platforms, other areas showed signs of improvement:
- Microsoft Edge vulnerabilities dropped significantly to 50 in 2025, an 83% decrease year-over-year
Security Takeaways:
- AI is changing the vulnerability equation: AI is accelerating discovery for defenders, while also enabling attackers to analyze patches, reverse engineer fixes, and operationalize exploits faster than ever. This creates a widening gap between vulnerability disclosure and exploitation, where organizations may be exposed before traditional defenses can respond.
- Hear from experts why CVE counts no longer tell the full story: Emerging risks, such as over-privileged AI agents, long-lived machine credentials, and identity misconfigurations, often do not appear in CVE counts, despite carrying significant impact – meaning traditional vulnerability tracking is no longer capturing the full picture.
Key Priorities for Organizations:
- Patch faster—but assume compromise is still possible
- Apply least privilege to limit the blast radius of an attack and create opportunities for detection and response
- Adopt identity-first security strategies that secure all identities, human and non-human
- Focus on paths to privilege, not just individual vulnerabilities
Download the full 2026 Microsoft Vulnerabilities Report here: https://www.beyondtrust.com/resources/whitepapers/microsoft-vulnerability-report
About the Report
The BeyondTrust Microsoft Vulnerabilities Report is based on publicly disclosed vulnerabilities from Microsoft security bulletins and provides a comprehensive analysis of trends across operating systems, cloud platforms, and enterprise applications.
Now in its 13th year, the report serves as a trusted resource for security professionals, providing valuable information about vulnerability trends and the evolving threat landscape to help organizations understand, identify, and address the risks within their Microsoft ecosystems and beyond.
About BeyondTrust
BeyondTrust is the global leader in privilege-centric identity security protecting Paths to Privilege™. Identity alone doesn’t create risk. Privilege does. As human, non-human, and AI agent identities explode across every environment, BeyondTrust is the only company built to discover, control, and secure privilege across all of them from a single platform. Trusted by 20,000 customers, including 75 of the Fortune 100, and recognized as a multi-category leader by Gartner, Forrester, and KuppingerCole, BeyondTrust turns identity security from a management problem into a strategic advantage.
Learn more at www.beyondtrust.com.
Follow BeyondTrust:
X: https://twitter.com/beyondtrust
Blog: https://www.beyondtrust.com/blog
LinkedIn: https://www.linkedin.com/company/beyondtrust
Facebook: https://www.facebook.com/beyondtrust
For BeyondTrust:
BeyondTrust Public Relations
P: (516)-521-5582
E: BeyondTrust@icrinc.com
