Reveals BeyondTrust report
BeyondTrust has reported a record-breaking 1,360 vulnerabilities disclosed across Microsoft’s ecosystem in 2024. This marks an 11% increase over the previous high of 1,292 vulnerabilities reported in 2022 and underscores the persistent and evolving challenges organisations face in defending against cyber threats.
BeyondTrust’s newly published 2025 Microsoft Vulnerabilities Report draws on a comprehensive analysis of Microsoft’s publicly issued security bulletins, offering a detailed overview of the most pressing vulnerability trends affecting Microsoft environments.
James Maude, Field Chief Technology Officer at BeyondTrust, said: “This year’s data offers a clear reminder that the threat landscape is not slowing down—it is rapidly evolving. The sustained dominance of Elevation of Privilege vulnerabilities highlights how valuable privileges are to attackers and why they will continue to target identities with privileges to move laterally and gain access to critical systems.
“These trends reinforce the need for organisations to focus not just on patching, but on securing the underlying Paths to Privilege across their environments to reduce the attack surface of every identity and point of access.”
Despite Microsoft’s continued investments in security, the annual report confirms that attackers are still finding ways to exploit weaknesses, particularly those linked to privilege escalation and remote code execution.
Most exploited categories
In 2024, vulnerabilities associated with Elevation of Privilege (EoP) and Remote Code Execution (RCE) remained the most exploited categories. EoP vulnerabilities accounted for 40% of all Microsoft vulnerabilities, with 554 cases recorded. These flaws enable attackers to gain elevated access to systems, making them a key target for threat actors seeking to move laterally or take control of critical resources.
While overall critical vulnerabilities declined in 2024, Security Feature Bypass incidents rose sharply, increasing by 60% year-over-year. This jump, from 56 cases in 2023 to 90 in 2024, points to ongoing challenges in building secure-by-design software and highlights the need for stronger threat modelling and secure coding practices at the development stage.
Microsoft Edge saw a notable uptick in vulnerabilities last year, with 292 reported, up 17% from the previous year. Nine were classified as critical, a striking change compared to zero critical vulnerabilities in Edge in 2022.
Windows and Windows Server continued to be prominent targets. The report identified 587 vulnerabilities in Windows, 33 of which were deemed critical. Windows Server experienced even more issues, with 684 vulnerabilities, including 43 critical ones.
Microsoft Office vulnerabilities nearly doubled from 2023 levels, reaching 62 reported in 2024. However, Azure and Dynamics 365 vulnerabilities remained flat, suggesting these platforms may be maturing regarding security posture or benefiting from targeted hardening efforts.
Although the number of vulnerabilities peaked, the longer-term growth rate shows signs of levelling off. Combined with the ongoing decline in critical vulnerabilities, this may reflect Microsoft’s broader success in strengthening its products’ security architecture. However, the report also cautions that the expanding complexity of modern ecosystems—including interconnected cloud, AI, and legacy components—means risk is far from eliminated.
BeyondTrust’s analysis highlights cybercriminals’ shifting strategies. Identity-based attacks are becoming more common, as adversaries focus on compromising credentials and privileged accounts rather than relying solely on traditional software exploits.
New measures
The report outlines several strategic predictions and practical recommendations for the year ahead. Unpatched systems continue to be low-hanging fruit for attackers, enabling widespread compromise. Even as Microsoft expands its tech stack with new features and cloud services, fresh vulnerabilities are expected to emerge as attackers develop novel techniques to bypass security controls.
While vital, patching is no longer enough. Patch deployment can fail or introduce unintended system instability, reinforcing the need for a layered defence strategy. This includes least privilege enforcement and zero-trust architectures, focusing on access control and identity protection.
The BeyondTrust report also highlights a growing shift in attack methodologies. Rather than exploiting a specific software flaw, modern threat actors often aim to gain control of privileged identities. These accounts can access sensitive data and systems, making them a lucrative target for lateral movement and persistence within a network.
Despite evolving threats, some cybersecurity fundamentals remain as relevant as ever. Software vulnerabilities will continue to exist, making proactive mitigation essential. Enforcing least privilege is still one of the most effective ways to reduce exposure, even in the face of zero-day exploits or newly reverse-engineered vulnerabilities.
A comprehensive defence-in-depth strategy that blends prevention with timely detection and response capabilities is critical. Such an approach is vital as identity-based attacks become more prevalent, targeting the human element of cybersecurity.
Hero image: Microsoft Office vulnerabilities nearly doubled from 2023 levels, reaching 62 reported in 2024. Credit: Towfiqu Barbhuiya
