Authored by: Morey J. Haber, Chief Safety Advisor, BeyondTrust, and James Maude, Area Chief Expertise Officer, BeyondTrust
As analyzed within the 2026 Microsoft Vulnerabilities Report, Microsoft disclosed 1,273 vulnerabilities in 2025, which represents a dip from 1,360 the prior 12 months. The excellent news appears to be that whole Microsoft vulnerabilities have remained in a steady vary from 2020 – 2026.
However these numbers are the incorrect ones to look at. Essential vulnerabilities doubled year-over-year, surging from 78 to 157, reversing a multi-year downward development.
Stability in whole vulnerability quantity conceals instability in impression, and that’s the place organizations ought to focus their consideration.
A very powerful clue on this information isn’t what number of vulnerabilities had been disclosed, however the place they’re concentrated and what they permit menace actors to probably compromise.
The place the Danger Is Concentrating
The dominance of Elevation of Privilege vulnerabilities (accounting for 40% of all CVEs) mixed with a 73% rise in Data Disclosure flaws, tells us attackers are prioritizing stealth and reconnaissance over noisy exploits.
Privilege is the place vulnerabilities turn into breaches. Menace actors not want noisy exploits or mass malware campaigns if they’ll quietly escalate entry and transfer laterally utilizing reliable credentials and Dwelling Off the Land techniques.
This development aligns with real-world breach patterns, the place preliminary entry is commonly mundane, however impression is amplified by means of extreme privilege, misconfigurations, and weak identification controls.
Nowhere is that this extra regarding than in cloud and enterprise platforms. Microsoft Azure and Dynamics 365 decreased barely in whole vulnerability depend, however essential vulnerabilities spiked dramatically, leaping from 4 to 37 in a single 12 months.
Cloud platforms will not be simply infrastructure anymore. They’re essential to enterprise operations, offering all kinds of companies, together with identification and entry administration, enterprise automation, management planes for complete enterprises, and many others.
A essential flaw in these environments poses implications far past exposing information. It will possibly cripple a whole workflow (and, finally, enterprise operations) and might collapse belief boundaries at machine pace. When cloud vulnerabilities flip essential, the blast radius turns into the defining threat metric.
Within the thirteenth version of this annual report revealed by BeyondTrust, acquire detailed evaluation of vulnerabilities and the tendencies that matter.
Additionally profit from professional insights on easy methods to greatest shield your group because the menace panorama undergoes fast evolution.
Obtain Now
In follow, a single misconfigured identification in Azure can hand an attacker the keys to your complete tenant, and most organizations wouldn’t know till the injury was accomplished. CVE-2025-55241, a essential Entra ID flaw patched in July 2025, illustrated this exactly: an attacker might forge tokens accepted throughout any tenant, leaving no hint in sufferer logs.
On the endpoint and server aspect, the outcomes are blended, however nonetheless disturbing. Whole Microsoft Home windows vulnerability numbers declined, but essential counts remained stubbornly constant and unnervingly excessive. Microsoft Home windows Server vulnerabilities elevated to 780, with 50 categorized as essential. Servers stay excessive worth targets as a result of they usually run with elevated privileges, host shared companies, and supply the inspiration for all kinds of enterprise infrastructure.
Menace actors perceive that compromising a server usually offers quicker and deeper entry than compromising a desktop alone. It is a chorus we hear persistently from CISOs: “We patched every part essential, so why are we nonetheless getting breached?” This information explains why.
Maybe probably the most notable shift within the information is for productiveness software program. Microsoft Workplace vulnerabilities surged 234% 12 months over 12 months, rising from 47 to 157, with essential vulnerabilities leaping from 3 to 31 (a 10x improve from final 12 months).
Microsoft Workplace stays one of the abused assault surfaces as a result of it sits on the intersection of human conduct, every day operations, and enterprise continuity.
Macros, doc sharing, preview panes, HTML rendering, new AI capabilities, and add-ins create a singular panorama for exploitation. When Workplace vulnerabilities spike, customers stay probably the most dependable entry level through social engineering.
The class tendencies reinforce a transparent sample: Elevation of Privilege and Data Disclosure are rising collectively. Attackers are prioritizing stealth and reconnaissance, and when menace actors know your setting higher than your personal crew does, each subsequent incursion turns into simpler.
What Organizations Ought to Do About It
The speedy protection precedence is narrowing the blast radius earlier than the subsequent patch cycle. Which means auditing standing admin rights, treating service accounts and AI brokers with the identical scrutiny as human identities, and disabling the Home windows preview pane (seven CVEs in 2025 exploited it as an entry level).
For organizations, the takeaway is obvious. Patch administration alone is inadequate, and organizations should prioritize vulnerabilities that allow privilege escalation, identification abuse, and lateral motion first. That requires context, information of exploits, mappings to frameworks like MITRE ATT&CK, and never simply CVSS scores. It additionally requires rethinking belief assumptions throughout cloud, endpoint, server, and productiveness layers.
The organizations which are forward of this aren’t merely patching quicker. They’re considering in another way about what privilege means in a cloud-first setting.
Within the organizations we work with, AI brokers have rapidly advanced from a future concern into a gift actuality virtually in a single day, and most lack the AI security posture administration mandatory for correct governance.
Patch administration issues, however patches fail to repair extreme privilege or implement least privilege for AI brokers. The ghost on this information isn’t the vulnerability depend. It’s every part these vulnerabilities unlock when the identification controls aren’t there to cease them.
For the 2026 panorama and past, the 2026 Microsoft Vulnerabilities Report reinforces a tough reality. Menace actors will not be breaking down the entrance door anymore with brute pressure exploits. They’re strolling in, escalating quietly, and working as trusted customers, human and machine alike.
If security applications don’t deal with privilege discount, identification visibility, and steady threat evaluation, the numbers could look steady 12 months over 12 months, however the assault floor and enterprise impression will proceed to extend.
Obtain the entire 2026 Microsoft Vulnerabilities Report now for detailed evaluation of Microsoft’s vulnerability and security panorama—and what all of it means for you.
Authors
Morey J. Haber, Chief Safety Advisor, BeyondTrust
Morey J. Haber is the Chief Safety Advisor at BeyondTrust. Because the Chief Safety Advisor, Morey is the lead identification and technical evangelist at BeyondTrust. He has greater than 25 years of IT business expertise and has authored 5 books: Attack Vectors: The Historical past of Cybersecurity, Privileged Attack Vectors, Asset Attack Vectors, Identification Attack Vectors, and Cloud Attack Vectors. Morey has beforehand served as BeyondTrust’s Chief Safety Officer, Chief Expertise Officer, and Vice President of Product Administration throughout his practically 13-year tenure. In 2020, Morey was elected to the Identification Outlined Safety Alliance (IDSA) Govt Advisory Board to help the company neighborhood with identification security greatest practices. He initially joined BeyondTrust in 2012 as part of the eEye Digital Safety acquisition the place he served as a Product Proprietor and Options Engineer since 2004. Previous to eEye, he was Beta Growth Supervisor for Pc Associates, Inc. He started his profession as Reliability and Maintainability Engineer for a authorities contractor constructing flight and coaching simulators. Morey earned a Bachelor of Science diploma in Electrical Engineering from the State College of New York at Stony Brook.
James Maude, Area Chief Expertise Officer, BeyondTrust
James Maude is the Area Chief Expertise Officer (FCTO) at BeyondTrust. Along with his broad expertise in security analysis, each in academia and business, James has spent the previous decade analyzing cyber threats to determine assault vectors and tendencies within the evolving security panorama. He’s an energetic member of the security neighborhood and hosts Adventures of Alice and Bob, a podcast that shines a light-weight on the individuals making a distinction in security. As an professional voice on cybersecurity, he recurrently presents at worldwide occasions and hosts webinars to debate threats and protection methods.
Sponsored and written by BeyondTrust.
