Microsoft vulnerabilities: What’s improved, what’s at risk

Microsoft reported a record 1,360 vulnerabilities in 2024, according to the latest BeyondTrust Microsoft Vulnerabilities Report. The volume marks an 11% increase from the previous record in 2022 and fits within a broader post-pandemic trend: more vulnerabilities, more products, and more complex ecosystems.

But one of the more telling metrics for CISOs is not just how many bugs were found — it’s how dangerous they were. In that regard, the data offers some good news. The number of critical vulnerabilities dropped to 78 in 2024, down from 84 the year before and less than half the 196 logged in 2020. It’s the lowest critical count since the report began.

Key risks

Critical flaws — those enabling code execution without user input — are among the most likely to be exploited in the wild. Their continued decline points to improvements in Microsoft’s development pipeline and architecture.

That said, not all categories followed the same curve. Elevation of Privilege (EoP) vulnerabilities made up 40% of the total. Remote Code Execution (RCE) followed close behind. Both remain top objectives for attackers.

“This year’s data offers a clear reminder that the threat landscape isn’t slowing down—it’s rapidly evolving,” said James Maude, Field CTO at BeyondTrust.

“The sustained dominance of Elevation of Privilege vulnerabilities highlights how valuable privileges are to attackers and why they will continue to target identities with privileges to move laterally and gain access to critical systems. These trends reinforce the need for organizations to focus not just on patching, but on securing the underlying Paths to Privilege across their environments to reduce the attack surface of every identity and point of access,” Maude continued.

These vulnerabilities are a key mechanism attackers rely on as organizations exert more controls around enforcing least privilege in their environments. If you can reduce a threat actor’s access to privilege, you reduce the “blast radius” in the event of exploitation.

As Kip Boyle, CISO at Cyber Risk Opportunities, put it: “Privilege elevation is the golden ticket for ransomware operators. Once attackers gain administrative privileges, they can execute the most devastating part of their playbook.”

Microsoft Edge, which had seen steady improvements, broke that trend. It jumped to 292 vulnerabilities — nine of which were critical, up from just one the previous year. Many of these allowed code to escape the browser sandbox, essentially turning the browser into a gateway for lateral movement. CISA issued a rare advisory warning for multiple Edge flaws in October 2024.

Microsoft Office used to be a major security pain point for organizations. Malicious phishing documents exploited common vulnerabilities, or simply socially-engineered a user into opening a document and allowing macros to run in order to misuse the built-in features for nefarious purposes.

Microsoft Office vulnerabilities rise sharply

Office also saw a 24% jump in total vulnerabilities, reversing last year’s decline. Meanwhile, Azure and Dynamics 365 also saw a 14% increase in total flaws. One standout: an SSRF bug in Microsoft Copilot Studio that let attackers retrieve access tokens and connect to internal cloud resources.

Patching remains essential, but not enough. Several zero-days — including CVE-2024-49138, a CLFS driver flaw exploited for SYSTEM-level access — highlight the need for layered defense.

In 2025, it will be vital for Microsoft to build confidence in the quality and stability of patches and updates. This is necessary to increase the pace at which organizations are comfortable deploying patch.

“If there’s one takeaway for 2025,” said Paula Januszkiewicz, CEO of CQURE, “it’s that proactive threat hunting and least privilege should be front and center.”

Microsoft’s Secure Future Initiative (SFI), launched in late 2023, claims to prioritize security across development. Some SFI milestones include phasing out unused apps and expanding phishing-resistant credentials. Still, experts warn against reading too much into early results.

Although the total number of vulnerabilities has risen, the longer-term trend shows the pace of growth appear is stabilizing. This, combined with the continued downward trend toward fewer critical vulnerabilities, suggests Microsoft’s security initiatives and improvements in the security architecture of modern operating systems are paying off.

“Vulnerabilities are breadcrumbs,” said Anton Chuvakin, advisor at Google Cloud. “They point to process failures, not just bad code.”

While this report is looking back at 2024, it’s worth noting that the first Patch Tuesday of 2025 was the biggest one since 2017, covering 159 vulnerabilities—including 8 zero-day vulnerabilities.

We need to be prepared not only to patch as quickly as possible, but also to ensure we have the best security posture possible via other mitigations—such as least privilege, zero trust, and just-in-time access to systems-to minimize the blast radius when those zero days come knocking.