New analysis of Microsoft's reported software vulnerabilities portfolio has revealed a paradoxical trend: while the total number has declined during the past year, the number of critical flaws doubled.
The findings, published in the 13th edition of the annual Microsoft Vulnerabilities Report by identity security specialist BeyondTrust, suggest that organisations are facing fewer but more consequential security gaps.
The report draws on Microsoft security bulletins issued throughout 2025 and highlights the growing influence of artificial intelligence, expanding cloud adoption, and increasingly sophisticated attacker techniques targeting identity systems.
A sharper risk profile
On the headline numbers, Microsoft's vulnerability trend looks encouraging. The company reported 1,273 total vulnerabilities in 2025, a 6% decline from 1,360 the previous year. This suggests that ongoing security investments may be helping to stabilise the overall volume of flaws in its software ecosystem.
However, the report warns that this decline masks a more concerning shift: the number of critical vulnerabilities has nearly doubled, rising from 78 to 157 year-on-year. Rather than indicating improved security, the data points to a concentration of risk in fewer but more dangerous categories of flaws.
The most significant driver of this trend is elevation-of-privilege (EoP) vulnerabilities, which accounted for 40% of all issues, equating to 509 cases. These vulnerabilities are particularly valuable to attackers because they enable lateral movement across systems and access to sensitive enterprise environments once an initial foothold has been established.
Cloud and productivity platforms under growing strain
Much of the increase in critical risk is being driven by Microsoft's cloud and enterprise productivity ecosystems, which continue to expand in both usage and complexity.
Microsoft Azure and Dynamics 365 recorded a dramatic ninefold increase in critical vulnerabilities, rising from just four to 37 during the reporting period. This spike underscores the growing exposure associated with cloud-native architectures and the challenges of securing highly interconnected enterprise platforms.
Similarly, Microsoft Office, long a staple of corporate productivity environments, has seen its security profile deteriorate. The number of vulnerabilities surged to 157, more than tripling year-on-year, while critical vulnerabilities increased tenfold.
However, not all areas are trending negatively. Microsoft Edge has recorded a significant improvement, with vulnerabilities falling 83% to just 50 in 2025. This decline suggests that targeted hardening efforts in browser security may be yielding measurable results.
AI acceleration
The report highlights AI as a double-edged force reshaping the cybersecurity landscape. On one hand, AI tools are improving defenders' ability to detect and catalogue vulnerabilities more efficiently. On the other, they are dramatically enhancing the speed at which attackers can analyse patches, reverse-engineer fixes, and develop exploit strategies.
This acceleration is creating a widening gap between disclosure and exploitation. Organisations may now face active threats before traditional patching cycles can respond.
The report also warns that conventional vulnerability metrics, such as CVE counts, are increasingly insufficient for capturing the true scope of risk. Emerging threats, including misconfigured identity systems, long-lived machine credentials, and over-privileged AI agents, often fall outside traditional vulnerability frameworks, despite carrying significant operational impact.
As a result, security teams are being urged to rethink how risk is measured and prioritised, shifting away from volume-based indicators and towards exploitability and privilege exposure.
Identity and privilege emerge as the central battleground
A consistent theme throughout the report is the growing importance of identity as the primary control plane for modern cyberattacks. Whether targeting cloud infrastructure, enterprise applications, or productivity tools, attackers are increasingly focused on gaining and escalating privileges rather than exploiting isolated software bugs.
This trend is compounded by the rise of non-human identities (NHIs), such as service accounts, automated processes, and AI agents, which often operate with elevated permissions and are difficult to monitor or govern effectively.
The overarching implication is that traditional perimeter-based security models are becoming less effective in environments where identity, rather than network location, determines access and control.
Key priorities
In response to these evolving risks, the report outlines several strategic priorities for enterprise security teams:
- Accelerate patching cycles, while assuming compromise may still occur
- Adopt least-privilege principles to reduce the potential blast radius of breaches
- Implement identity-first security frameworks that cover both human and non-human identities
- Focus on identifying and securing pathways to privilege, rather than isolated vulnerabilities
These recommendations reflect a broader shift in cybersecurity strategy, where resilience depends less on preventing every intrusion and more on limiting attacker movement and impact once inside a system.
The latest Microsoft vulnerability data presents a nuanced picture for enterprise security leaders. While the overall number of vulnerabilities may be falling, the sharp rise in critical flaws suggests a more dangerous and concentrated threat environment.
Ultimately, the report underscores a fundamental shift in cybersecurity priorities: success is no longer defined by the number of vulnerabilities patched, but by how effectively organisations can control access, manage privilege, and contain attacker movement in increasingly complex digital environments.