Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation
· BleepingComputerAuthored by: Morey J. Haber, Chief Security Advisor, BeyondTrust, and James Maude, Field Chief Technology Officer, BeyondTrust
As analyzed in the 2026 Microsoft Vulnerabilities Report, Microsoft disclosed 1,273 vulnerabilities in 2025, which represents a dip from 1,360 the prior year. The good news seems to be that total Microsoft vulnerabilities have remained in a stable range from 2020 – 2026.
But those numbers are the wrong ones to watch. Critical vulnerabilities doubled year-over-year, surging from 78 to 157, reversing a multi-year downward trend.
Stability in total vulnerability volume conceals instability in impact, and that is where organizations should focus their attention.
The most important clue in this data is not how many vulnerabilities were disclosed, but where they are concentrated and what they enable threat actors to potentially compromise.
Where the Risk Is Concentrating
The dominance of Elevation of Privilege vulnerabilities (accounting for 40% of all CVEs) combined with a 73% rise in Information Disclosure flaws, tells us attackers are prioritizing stealth and reconnaissance over noisy exploits.
Privilege is where vulnerabilities become breaches. Threat actors no longer need noisy exploits or mass malware campaigns if they can quietly escalate access and move laterally using legitimate credentials and Living Off the Land tactics.
This trend aligns with real-world breach patterns, where initial access is often mundane, but impact is amplified through excessive privilege, misconfigurations, and weak identity controls.
Nowhere is this more concerning than in cloud and business platforms. Microsoft Azure and Dynamics 365 decreased slightly in total vulnerability count, but critical vulnerabilities spiked dramatically, jumping from 4 to 37 in a single year.
Cloud platforms are not just infrastructure anymore. They are crucial to business operations, providing a wide variety of services, including identity and access management, business automation, control planes for entire enterprises, etc.
A critical flaw in these environments poses implications far beyond exposing data. It can cripple an entire workflow (and, ultimately, business operations) and can collapse trust boundaries at machine speed. When cloud vulnerabilities turn critical, the blast radius becomes the defining risk metric.
Download the 2026 Microsoft Vulnerabilities Report
In the 13th edition of this annual report published by BeyondTrust, gain detailed analysis of vulnerabilities and the trends that matter.
Also benefit from expert insights on how to best protect your organization as the threat landscape undergoes rapid evolution.
In practice, a single misconfigured identity in Azure can hand an attacker the keys to your entire tenant, and most organizations wouldn’t know until the damage was done. CVE-2025-55241, a critical Entra ID flaw patched in July 2025, illustrated this precisely: an attacker could forge tokens accepted across any tenant, leaving no trace in victim logs.
On the endpoint and server side, the results are mixed, but still disturbing. Total Microsoft Windows vulnerability numbers declined, yet critical counts remained stubbornly consistent and unnervingly high. Microsoft Windows Server vulnerabilities increased to 780, with 50 classified as critical. Servers remain high value targets because they often run with elevated privileges, host shared services, and provide the foundation for a wide variety of business infrastructure.
Threat actors understand that compromising a server often provides faster and deeper access than compromising a desktop alone. It's a refrain we hear consistently from CISOs: “We patched everything critical, so why are we still getting breached?” This data explains why.
Perhaps the most notable shift in the data is for productivity software. Microsoft Office vulnerabilities surged 234% year over year, rising from 47 to 157, with critical vulnerabilities jumping from 3 to 31 (a 10x increase from last year).
Microsoft Office remains one of the most abused attack surfaces because it sits at the intersection of human behavior, daily operations, and business continuity.
Macros, document sharing, preview panes, HTML rendering, new AI capabilities, and add-ins create a unique landscape for exploitation. When Office vulnerabilities spike, users remain the most reliable entry point via social engineering.
The category trends reinforce a clear pattern: Elevation of Privilege and Information Disclosure are rising together. Attackers are prioritizing stealth and reconnaissance, and when threat actors know your environment better than your own team does, every subsequent incursion becomes easier.
What Organizations Should Do About It
The immediate defense priority is narrowing the blast radius before the next patch cycle. That means auditing standing admin rights, treating service accounts and AI agents with the same scrutiny as human identities, and disabling the Windows preview pane (seven CVEs in 2025 exploited it as an entry point).
For organizations, the takeaway is clear. Patch management alone is insufficient, and organizations must prioritize vulnerabilities that enable privilege escalation, identity abuse, and lateral movement first. That requires context, knowledge of exploits, mappings to frameworks like MITRE ATT&CK, and not just CVSS scores. It also requires rethinking trust assumptions across cloud, endpoint, server, and productivity layers.
The organizations that are ahead of this aren't simply patching faster. They're thinking differently about what privilege means in a cloud-first environment.
In the organizations we work with, AI agents have quickly evolved from a future concern into a present reality almost overnight, and most lack the AI security posture management necessary for proper governance.
Patch management matters, but patches fail to fix excessive privilege or enforce least privilege for AI agents. The ghost in this data isn’t the vulnerability count. It’s everything those vulnerabilities unlock when the identity controls aren’t there to stop them.
For the 2026 landscape and beyond, the 2026 Microsoft Vulnerabilities Report reinforces a hard truth. Threat actors are not breaking down the front door anymore with brute force exploits. They are walking in, escalating quietly, and operating as trusted users, human and machine alike.
If security programs don’t focus on privilege reduction, identity visibility, and continuous risk assessment, the numbers may look stable year over year, but the attack surface and business impact will continue to increase.
Download the complete 2026 Microsoft Vulnerabilities Report now for detailed analysis of Microsoft's vulnerability and security landscape—and what it all means for you.
Authors
Morey J. Haber, Chief Security Advisor, BeyondTrust
Morey J. Haber is the Chief Security Advisor at BeyondTrust. As the Chief Security Advisor, Morey is the lead identity and technical evangelist at BeyondTrust. He has more than 25 years of IT industry experience and has authored five books: Attack Vectors: The History of Cybersecurity, Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. Morey has previously served as BeyondTrust’s Chief Security Officer, Chief Technology Officer, and Vice President of Product Management during his nearly 13-year tenure. In 2020, Morey was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board to assist the corporate community with identity security best practices. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. Morey earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.
James Maude, Field Chief Technology Officer, BeyondTrust
James Maude is the Field Chief Technology Officer (FCTO) at BeyondTrust. With his broad experience in security research, both in academia and industry, James has spent the past decade analyzing cyber threats to identify attack vectors and trends in the evolving security landscape. He is an active member of the security community and hosts Adventures of Alice and Bob, a podcast that shines a light on the people making a difference in security. As an expert voice on cybersecurity, he regularly presents at international events and hosts webinars to discuss threats and defense strategies.
Sponsored and written by BeyondTrust.