The total number of security flaws in Microsoft software has dropped by 6% to 1,273 this year, which on the surface indicates that things are actually getting better. However, it hides a dangerous trend- the most dangerous or critical flaws have doubled.
BeyondTrust, a privilege-centric identity security leader, just released its 13th annual Microsoft Vulnerabilities Report, which reveals that while hackers are finding fewer bugs overall, the ones they are finding are far more powerful.
“Don’t be distracted by the dip in total vulnerabilities,” says James Maude, Field CTO at BeyondTrust, “critical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege.”
Major Risks in Office and Azure
The most alarming spikes occurred in tools used for daily business operations. Microsoft Office vulnerabilities tripled to 157, while critical bugs in the suite had a tenfold increase. Many of these flaws exploit the preview pane, a feature that renders content automatically.
According to research from BeyondTrust’s Phantom Labs team, attackers are using this vector to execute malicious code the moment a user highlights an attachment, requiring no further interaction. Windows Server vulnerabilities increased to 780 in 2025, with 50 classified as critical.
Azure and Dynamics 365, Microsoft’s cloud platforms, although they had fewer total bugs, their critical flaws increased nine times over. A key example is CVE-2025-55241, a loud impersonation flaw in Azure Entra ID. It created a nightmarish scenario where a threat actor could impersonate a Global Administrator, successfully bypassing the trust boundaries that protect an enterprise’s cloud infrastructure.
Hidden Risks: The Ghost in the Machine
Human users aren’t just the targets anymore; the report highlights a growing threat to non-human identities (NHIs), which are the automated service accounts and AI agents powering modern workflows.
BeyondTrust refers to these as the “ghost in the machine” because these identities usually hold high-level permissions and operate without traditional security like multi-factor authentication, thus becoming primary targets for espionage actors.
Approximately 40% of all vulnerabilities last year involved Elevation of Privilege (EoP), a consistently reported attack method where the attacker can laterally move from a standard account to a highly privileged state and gets to disable security controls.
Strategic Takeaways for 2026
There is some positive news in the data, too, as bugs in Microsoft Edge are reportedly at an all-time low with 50 (plummeted by 83%). This means the architectural investments Microsoft has made in sandboxing and isolation are giving results. Also, Security Feature Bypass vulnerabilities dropped by 36% after older security guardrails were hardened against newer attack methods.
But, the pressure to stay updated is higher than ever now as this year’s first Patch Tuesday alone arrived with 114 fixes, including three zero-day vulnerabilities that were already being exploited in the wild.
Beyond Trust’s report should, therefore, be taken as a warning; apart from merely fixing the bugs, companies must now ensure giving the least privilege to users and automated bots because even if a hacker manages to infiltrate a device without higher privilege, the damage remains limited.
Commenting on this, Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity firm, said that “Cloud misconfigurations are so valuable to both attackers and defenders because they give us the ability to ‘accidentally’ arrive at a negative outcome, both globally and immediately. There is so much technology focused on detecting misconfigurations in the development and testing pipeline, as well as production monitoring.”
“The question isn’t ‘can we find those misconfigurations as much as ‘how early and how quickly can we find and address these issues.‘ Adversarial testing is the ONLY objective way to know if our people, process, and technology are arriving at resilient outcomes.”
Amit Zimerman, Co-Founder and Chief Product Officer at Oasis Security, a New York City-based provider of Non-Human Identity Management (NIM) solutions, also commented on this development, stating, “While AI is highly efficient in automating and scaling tasks, human expertise is necessary to interpret complex results, make critical decisions, and apply context-specific reasoning. Humans are essential for ensuring that AI-driven tools are used responsibly and for validating the results of AI processes, especially when it comes to the nuances of certain vulnerabilities or threat landscapes.”
“AI also plays a significant role in “shift-left” approaches by identifying security vulnerabilities earlier in the software development lifecycle. When integrated into offensive security measures, AI can detect and address issues before they make it into production, reducing the cost of remediation and improving the overall security posture of an organization,” Amir explained.
