Microsoft’s software ecosystem saw a 6% drop in disclosed vulnerabilities in 2025, but the number of flaws rated critical surged, signaling a dangerous shift from volume to severity. BeyondTrust’s 13th annual Microsoft Vulnerabilities Report, released April 21, 2026, tallied 1,273 common vulnerabilities and exposures (CVEs) across Microsoft products last year, down from 1,353 in 2024. Yet for the first time in five years, the proportion of critical-rated vulnerabilities climbed, while elevation-of-privilege bugs—long the most common category—slipped to second place.

Security teams that had grown accustomed to steady patch cycles and incremental improvements now face a stark reality: fewer bugs overall, but more that can hand attackers the keys to the kingdom. The report’s findings arrive as enterprises continue their mass migration to cloud-native services, where the blast radius of a single critical flaw can span entire hybrid estates.

Fewer Vulnerabilities, Higher Stakes

The decline in total CVEs marks a reversal of a decade-long trend. From 2016 to 2024, Microsoft’s annual disclosed vulnerabilities climbed steadily, peaking at 1,353 in 2024. The 2025 figure of 1,273 represents the first year-over-year decrease since 2020. On its face, that looks like a win for Microsoft’s Secure Future Initiative and the rigorous code reviews it mandates. But the data tells a more nuanced story.

Critical-rated vulnerabilities—flaws that allow remote code execution, complete system compromise, or authentication bypass—accounted for 14.6% of all CVEs in 2025, up from 11.8% the year before, according to BeyondTrust’s analysis. That translates to roughly 186 critical vulnerabilities, compared to 160 in 2024—a 16% increase despite the smaller overall pool. “The nature of the threat is pivoting,” said Morey Haber, chief security strategist at BeyondTrust, in the report’s summary. “Attackers are not interested in exploiting low-impact bugs when one critical remote code execution chain can yield domain dominance.”

The shift is even more pronounced in cloud and identity platforms. Azure and Entra ID (formerly Azure Active Directory) accounted for 22% of all critical vulnerabilities, double their share from 2023. Privilege escalation flaws, traditionally the bedrock of Windows exploitation, now represent just 28% of all CVEs, compared to an average of 34% from 2020–2024. Replacing them are remote code execution (RCE) and information disclosure bugs, which often serve as entry points for ransomware gangs and nation-state actors.

Critical Flaws on the Rise

What’s driving the increase in severity? Several factors converge. First, Microsoft’s aggressive push to sunset legacy protocols and APIs has forced researchers to dig deeper into next-generation components. The Windows 11 2025 Update and Windows Server 2026, both released last year, introduced new subsystems like Rust-based kernel modules and a revamped networking stack—fresh attack surfaces that haven’t been battle-hardened.

Second, the blurring of boundaries between on-premises and cloud environments creates lateral movement opportunities that a single critical flaw can exploit. An RCE in an on-prem Exchange server can now pivot to Entra ID via hybrid identity configurations, bypassing traditional network segmentation. BeyondTrust’s report highlights CVE-2025-3884, a critical remote code execution vulnerability in Windows Kerberos Key Distribution Center (KDC) disclosed in October 2025. With a CVSS score of 9.8, it allowed unauthenticated attackers to perform an RCE on any domain controller, a scenario that would have been unthinkable in the heavily audited Kerberos code of a decade ago.

Third, automated vulnerability discovery tools and AI-assisted code analysis have matured. Security researchers at firms like BeyondTrust, as well as Microsoft’s internal red teams, are finding complex, chained vulnerabilities that might have remained hidden in the era of human-only auditing. The result is that while the low-hanging fruit—the memory corruption bugs in legacy components—is dwindling, the bugs that remain are architectural and deeply embedded.

A New Threat Landscape for Windows and Azure

For IT administrators, the report is not just academic. The increasing severity demands a fundamental rethinking of patch management and least-privilege strategies. Microsoft’s usual Patch Tuesday cadence isn’t enough when a critical Hyper-V guest escape flaw, like CVE-2026-1023 patched in March 2026, can compromise entire virtual server fleets. Organizations that rely on monthly ring deployments now face the prospect of needing out-of-band emergency patches more frequently, disrupting business continuity.

Windows endpoints remain the primary vector, with 63% of all vulnerabilities affecting Windows 10, Windows 11, or Windows Server. But the real damage often originates in identity infrastructure. Elevation-of-privilege bugs in Entra ID Connect and Azure AD Sync allow attackers to impersonate privileged users, moving from a compromised workstation to cloud resources without triggering MFA alarms. BeyondTrust’s report dedicates a special section to this “identity bridge,” noting that 41% of all elevation-of-privilege vulnerabilities now reside in identity components rather than the kernel or file system.

“We’ve seen a clear pivot from local privilege escalation to cloud privilege escalation,” explained Paula Januszkiewicz, CEO of CQURE and a Microsoft Most Valuable Professional in enterprise security, reacting to the report on her company blog. “In the past, getting SYSTEM on a box was the goal. Now, attackers want Global Administrator in Entra ID. The shift in vulnerability statistics mirrors that change in attacker incentives.”

The data also complicates compliance. Regulated industries—finance, healthcare, government—that rely on CVE counts to gauge risk appetite may find themselves underprotected. If the total number of patches drops, boards might question the need for large security teams, even as the remaining tasks require deeper expertise and faster response times.

Practical Takeaways for IT Teams

BeyondTrust’s report isn’t just a warning; it offers a roadmap for adaptation. Among its key recommendations:

  • Adopt just-in-time privilege: Rather than managing static administrator accounts, shift to ephemeral, time-bound privileged access for both on-premises Active Directory and Entra ID. This blunts the impact of credential-harvesting attacks that often follow critical RCE exploitation.
  • Accelerate patch cycles: The average time-to-exploit for critical vulnerabilities is now under 48 hours. Organizations should move from monthly to weekly patch rings for Tier 1 assets, using automated testing in sandbox environments to catch compatibility issues.
  • Monitor identity bridges: Tools like Microsoft Defender for Identity and third-party solutions must be tuned to detect abnormal synchronization between AD and Entra ID. Any spike in directory replication traffic after a critical vulnerability disclosure should trigger an immediate incident response.
  • Invest in attack surface reduction: No longer a nice-to-have, attack surface reduction (ASR) rules should be enforced across all endpoints. Microsoft’s own data shows that enabling a core set of ASR rules reduces the risk from zero-day exploits by up to 70%.

Bill Demirkapi, an independent security researcher who has uncovered dozens of Microsoft vulnerabilities, sees the trend as an opportunity. “The fact that we’re finding fewer trivial bugs means the investment in secure development is paying off,” he said in a Twitter Spaces discussion on the report. “But the flip side is that the remaining bugs are the ones that really matter. If you’re an IT director, you can’t just say ‘we patched 50 CVEs this month so we’re safe.’ You need to ask which CVEs are on the known-exploited list and whether you have a defense-in-depth strategy for when patching fails.”

The Azure and Entra ID Connection

One of the most alarming trends in the report is the concentration of critical vulnerabilities in Azure core services. Azure App Service, Azure Kubernetes Service, and Azure Arc each made the top-10 list of products with the most critical CVEs in 2025. This reflects the growing complexity of platform-as-a-service offerings, where multi-tenancy isolation bugs can lead to cross-customer data exposure.

Entra ID flaws are particularly concerning because they often require zero user interaction. CVE-2025-4962, disclosed in November 2025, allowed an attacker to brute-force bypass conditional access policies by exploiting a race condition in Entra ID’s token validation engine. A patch was released, but organizations that had not migrated to the newer continuous access evaluation (CAE) protocol remained vulnerable for weeks.

“Identity is the new perimeter, and we’re seeing it breached at an alarming rate,” noted Greg Tarr, senior director of product management at BeyondTrust. “Our report data shows that 72% of organizations that suffered a cloud breach in 2025 had a privilege mismatch between their on-premises and cloud identity systems. Addressing that gap is the single most impactful security measure an enterprise can take.”

Looking Beyond the Numbers

The BeyondTrust report is a call to action for the security industry to evolve its metrics. CVE counts have long dominated headlines and boardroom presentations, but they increasingly fail to capture the real risk landscape. A drop from 1,353 to 1,273 CVEs might sound like progress, but if it’s accompanied by a rise in weaponized zero-days and cloud-native attack chains, organizations are arguably worse off.

Microsoft’s own response to the report was measured. In a statement provided to windowsnews.ai, a Microsoft spokesperson said, “We appreciate the community’s efforts to analyze vulnerability trends and strengthen ecosystem security. Our commitment to the Secure Future Initiative continues to yield measurable improvements, and we’re investing heavily in secure-by-design practices that prevent entire classes of vulnerabilities.” The spokesperson pointed to the 2025 launch of the Microsoft Security Development Lifecycle (SDL) 2.0 framework, which mandates threat modeling for all new features and deprecated legacy cryptographic algorithms that were a frequent source of vulnerabilities.

Whether these efforts will bend the severity curve remains an open question. The attack surface isn’t shrinking; it’s being reshaped by generative AI tools that can audit code faster than ever—for both defenders and attackers. The threat intelligence firm RedSense released a parallel study this month showing a 34% increase in public proof-of-concept exploits for critical Microsoft vulnerabilities within 72 hours of disclosure, driven largely by AI-assisted reverse engineering.

The Bottom Line

For Windows and Azure admins, the message is clear: Don’t be lulled by a lower CVE count. In 2025, fewer vulnerabilities did not mean less risk. It meant more of the risk was concentrated in critical, identity-focused, and cloud-native flaws that demand immediate, targeted action. Patch management strategies must evolve to prioritize severity and exploitability over volume. Least-privilege models must extend from the endpoint to every layer of the cloud. And security leaders must educate their boards that a decline in vulnerability reports is not the same as a decline in threat—it may be the calm before a more destructive storm.