A new report from BeyondTrust says the total number of Microsoft vulnerabilities disclosed in 2025 fell compared with 2024, but the number classed as critical rose sharply, pointing to a shift in risk from volume to severity.
BeyondTrust’s 13th annual Microsoft Vulnerabilities Report, based on publicly issued Microsoft security bulletins published throughout 2025, recorded 1,273 vulnerabilities, down 6% from 1,360 in 2024. Over the same period, critical vulnerabilities increased from 78 to 157, reversing what the report describes as a multi-year downward trend.
“Don’t be distracted by the dip in total vulnerabilities. Critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems,” said James Maude, Field CTO at BeyondTrust.
The report says Elevation of Privilege vulnerabilities accounted for 40% (509) of all reported issues, which it argues reinforces identity and privilege as central concerns in attack chains that seek lateral movement and access escalation.
BeyondTrust also pointed to increased critical vulnerabilities in major cloud and enterprise platforms. It said Microsoft Azure and Dynamics 365 recorded a ninefold increase in critical vulnerabilities, rising from 4 to 37. Microsoft Office vulnerabilities rose to 157, and the report said critical vulnerabilities in Office increased tenfold year-over-year.
Not all categories moved in the same direction. The report said Microsoft Edge vulnerabilities fell to 50 in 2025, an 83% decrease year-over-year.
BeyondTrust attributed the overall risk shift to factors including AI-accelerated vulnerability discovery, expanding cloud adoption, and attacker tactics that target identity and privilege. It also argued that traditional vulnerability tracking may not fully reflect emerging risks, citing “non-human identities (NHIs)” and complex cloud architectures that may not map cleanly to CVE reporting.
Maude said the increase in critical vulnerabilities in Azure and Dynamics 365, combined with identity compromise attacks exploiting standing privilege, means “patching alone will not close this gap.”
As mitigation priorities, BeyondTrust advised organisations to patch quickly while assuming compromise is still possible, apply least privilege, adopt “identity-first” security across human and non-human identities, and focus on “paths to privilege” rather than individual vulnerabilities.
You can read the full report here.
