Benjamin Franklin once said, “In this world nothing can be said to be certain, except death and taxes.” If Franklin were alive today, he might tack on another: software vulnerabilities. Specifically, Microsoft vulnerabilities.
For twelve years, the Microsoft Vulnerabilities Report authored by BeyondTrust has been a barometer for how secure the world’s most widely used software ecosystem truly is. The 2025 edition is a reminder to step back, take a breath, pay our taxes, and ensure security patches are being deployed in a timely fashion—after testing.
In this latest edition, the numbers prove we are alive. In 2024, Microsoft vulnerabilities hit an all-time high: 1,360 disclosed, topping the previous record of 1,292 from 2022. That’s an 11 percent increase and a gentle reminder that no matter how many best practices we create, expert training we provide to developers, or how thoroughly we test code via QA and penetration testing, humans and AI still create software with exploitable vulnerabilities. Year after year, this continues to be true.
The Microsoft Vulnerabilities Report demonstrates that humans remain the weakest link—not only from social engineering but also in the software we develop.
Before we throw up our hands in despair, there’s nuance: critical vulnerabilities—the ones that keep CISOs awake at night—are trending down. That’s a win, though an incomplete one. Let me explain.
On The Brighter Side
When we dig into the report, the raw data gives us two competing narratives. On one hand, the total number of vulnerabilities is climbing. On the other, critical vulnerabilities dropped to their lowest point in over a decade: 78 in 2024, compared to 196 in 2020. That is noteworthy progress—especially when you consider that in 2013, critical vulnerabilities made up 44 percent of Microsoft’s public vulnerability disclosures. In 2024, we’re just under six percent.
For the fifth year running, Elevation of Privilege (EoP) vulnerabilities took the top spot, making up 40 percent of all disclosures. It’s a hard truth: it’s easier for a threat actor to log in than hack in. And for a threat actor, privilege is power—especially when they can authenticate as a privileged user. It’s the difference between peeking in the window versus holding the keys to the castle. EoP vulnerabilities make lateral movement easy, and no zero trust model survives long without putting least privilege front and center to contain a breach.
The more access attackers have, the bigger the blast radius. And while Microsoft’s numbers show a reduction in critical bugs, the continued presence of EoP bugs should be a wake-up call for everyone managing sprawling privileged accounts.
New Threats
One unsettling trend is the rise of Security Feature Bypass vulnerabilities. These have tripled since 2020, surging from 30 to 90 this year. Have you heard of RomCom? The Russian cybercrime group exploited CVE-2023-36884 to bypass Microsoft’s “Mark of the Web” protections. In 2024, we saw similar bypasses with CVE-2024-38226 and CVE-2024-38217. The message is clear: attackers are targeting legacy security controls, many of which are proving to be easy attack vectors.
Microsoft has some catching up to do for backward compatibility and older solutions. Features like User Account Control and Mark of the Web are relics from a different era—circa Windows XP. In a world where phishing campaigns evolve weekly, relying on decades-old security measures shows that end-of-life applies not only to operating systems and applications but also the protocols and industry standards they were built upon.
While Internet Explorer (IE) officially reached end-of-life in 2022, Microsoft Edge—the Chromium-powered browser once praised for its security—saw its zero-critical-vulnerability streak broken in 2024. Nine critical vulnerabilities were documented, giving attackers a rare opportunity to escape the browser sandbox and potentially own an asset. CISA issued multiple warnings, as these flaws allowed remote code execution with local user privileges. Combine that with organizations allowing users to operate as local administrators—and not following the Principle of Least Privilege (PoLP)—and you significantly increase the risk to your environment due to poor security hygiene and these vulnerabilities.
Microsoft Windows continues to widen the gap as both the company’s flagship OS and its Achilles’ heel: 587 vulnerabilities in 2024, including 33 critical ones. Irony is a lesson we should never forget—like paying taxes. Windows 11 is supposed to be the most secure version yet, but legacy code from 20 years ago still lingers, ripe for exploitation.
As we move to the cloud—or, as AI engines like to say, “Organizations have embraced a digital transformation strategy…”—Azure vulnerabilities have nearly doubled since 2020. Fortunately, critical vulnerabilities are down. But AI bots are now the new attack surface.
CVE-2024-38206 and CVE-2024-38109 showed how Microsoft Copilot Studio and Azure Health Bot could be exploited for information disclosure and privilege escalation. AI may be the future, but we can’t ignore the risks of new code and attack vectors. Unfortunately, the black-box nature of these models makes mitigation tricky and the attack surface unmeasurable as more of this technology is developed.
Most importantly, 2024 saw several Microsoft patches break more than they fixed. Updates that rolled systems back to vulnerable states increased last year in a rush to provide security. Preview builds that bricked features, including the auto-update system itself, plagued enterprises. We should remember that software is ultimately created by humans, and shipping patches quickly isn’t the same as shipping them right.
Microsoft’s reputation for patch quality has wavered before. In 2025, stability must be the priority to regain trust and shorten patching cycles. Other vendors, like CrowdStrike in 2024, proved that even a simple, improperly tested update can have devastating consequences. Microsoft is no different.
In conclusion, the Secure Future Initiative is Microsoft’s bet that it can bake security into everything it builds. It’s an admirable cause, and some improvements are showing in this year’s report. Microsoft is making progress—but you’re still responsible for your own security posture. That includes testing patches and deploying them across your enterprise.
Death, taxes, and Microsoft vulnerabilities aren’t going away. But with least privilege, zero trust, and a healthy skepticism for legacy systems, we can make life a little less stressful—one patch at a time.
As the Chief Security Advisor at BeyondTrust, Morey J. Haber is the lead identity and technical evangelist at the company. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors.