Skip to main content
CybersecurityVulnerability Management

Microsoft Vulnerabilities Spike in Critical Areas

Laptop on a table with blurred background, symbolizing vulnerability.

CVE-2025-55241, a critical Entra ID flaw patched in July 2025, “allowed an attacker [to] forge tokens accepted across any tenant, leaving no trace in victim logs,” a stark example of how a single identity weakness can hand an attacker tenant-wide access.

Critical vulnerabilities doubled even as totals held steady

BeyondTrust's 2026 Microsoft Vulnerabilities Report shows a paradox: Microsoft disclosed 1,273 vulnerabilities in 2025, down from 1,360 the prior year, and overall totals have remained in a stable range from 2020–2026. Yet critical vulnerabilities rose sharply — from 78 in 2024 to 157 in 2025 — effectively doubling year over year and reversing a multi-year decline.

That divergence — steady volume, escalating impact — is the central finding the report emphasizes. The headline number of CVEs masks where the real danger now concentrates: a smaller fraction of flaws that enable high-impact compromise.

Elevation of Privilege and Information Disclosure: attackers favour stealth

The report identifies a clear shift in vulnerability type. Elevation of Privilege flaws account for 40% of all CVEs, and Information Disclosure vulnerabilities rose 73% year over year. Together, these trends signal that attackers prioritize stealthy reconnaissance and privilege abuse over “noisy” exploitation campaigns.

As the authors put it, privilege is where vulnerabilities become breaches. Threat actors increasingly rely on escalating access quietly and moving laterally using legitimate credentials and Living Off the Land techniques — tactics that reduce forensic visibility and multiply impact once inside.

Cloud alarms: Azure and Dynamics 365 criticals jump from 4 to 37

The report flags cloud and business platforms as particularly hazardous when critical flaws appear. Microsoft Azure and Dynamics 365 saw a small decline in total vulnerability count, but critical vulnerabilities leapt from 4 to 37 in a single year.

BeyondTrust frames cloud platforms not merely as infrastructure but as operational control planes: identity and access management, business automation, and enterprise control surfaces. A critical flaw in these environments can “collapse trust boundaries at machine speed” and enlarge the blast radius well beyond data exposure, affecting workflows and entire business operations.

Endpoints, servers, and productivity: mixed trends, big risks

On the endpoint and server side the picture is uneven. Total Microsoft Windows vulnerability numbers declined, yet critical counts “remained stubbornly consistent and unnervingly high.” Microsoft Windows Server vulnerabilities increased to 780, with 50 classified as critical — a reminder that servers often run with elevated privileges and host shared services that offer high-value access.

Productivity software showed the most dramatic change. Microsoft Office vulnerabilities surged 234% year over year, rising from 47 to 157, while critical Office flaws jumped from 3 to 31 — a tenfold increase. The report notes Office’s position at the intersection of human behavior and daily operations — macros, preview panes, HTML rendering, add-ins, and new AI capabilities — as a persistent abuse surface for social-engineering entry.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Prioritize narrowing the blast radius by auditing standing admin rights, treating service accounts and AI agents with the same scrutiny as human identities, and disabling the Windows preview pane — the report says seven CVEs in 2025 exploited it as an entry point. Patch management remains necessary but is “insufficient” alone; teams must focus first on vulnerabilities that enable privilege escalation, identity abuse, and lateral movement.
  • Procurement leaders and architects: Rethink trust assumptions across cloud, endpoint, server, and productivity layers. The report argues for context-driven prioritization — mapping flaws to exploitability and frameworks like MITRE ATT&CK rather than relying solely on CVSS scores — and for governance controls around AI agents, which the authors say “have quickly evolved from a future concern into a present reality.”
  • End users and business operators: Remain the most reliable entry point when Office vulnerabilities and social engineering spike. The report underscores that user-facing features (document previews, macros, add-ins) and new AI capabilities increase exploitation avenues that ordinary operational workflows expose.

BeyondTrust's 13th annual review closes with a pointed assessment: “The ghost in this data isn’t the vulnerability count. It’s everything those vulnerabilities unlock when the identity controls aren’t there to stop them.” For defenders, the practical next step is not merely faster patching but reducing privileges, improving identity visibility, and applying continuous risk assessment where cloud and machine identities govern access.

Read the original BeyondTrust report summary on BleepingComputer