Microsoft critical flaws tilt to escalation

BeyondTrust’s 2026 Microsoft Vulnerabilities Report points to a change in the shape of Microsoft risk rather than a simple rise in volume. The company said total Microsoft vulnerabilities disclosed in 2025 were 1,273, down from 1,360 in 2024, while critical vulnerabilities rose to 157 from 78. BleepingComputer, which reported the findings on May 20, said the shift shows attackers are concentrating more heavily on privilege escalation and identity-linked abuse paths. That matters because the report describes a year in which the raw count stayed broadly stable, but the proportion of high-impact flaws worsened. BeyondTrust said elevation-of-privilege vulnerabilities made up 40% of all flaws, continuing a pattern it said reinforces identity as a primary attack vector. The company also said Azure and Dynamics 365 saw a ninefold increase in critical vulnerabilities. (bleepingcomputer.com) ### Why does a flat total still point to a more dangerous year? The key change is severity. BeyondTrust said the 2025 total fell about 6% year over year, but critical issues doubled, which it described as evidence that exploitability and impact are increasing even as overall volume stabilizes. BleepingComputer framed that as a move “from exposure to escalation,” meaning the more consequential weaknesses are increasingly the ones that help an attacker gain authority after initial access. (beyondtrust.com) A flat or lower total can therefore hide a worse operating environment for defenders. If more of the disclosed flaws enable privilege gain, tenant control, or identity abuse, the practical risk is less about how many CVEs exist and more about what power they unlock once exploited. That is an inference from the reported numbers and BeyondTrust’s emphasis on “Paths to Privilege.” (bleepingcomputer.com) ### What exactly is shifting toward privilege escalation? BeyondTrust said elevation-of-privilege remained the largest category in Microsoft’s disclosures, accounting for 40% of the total. In its 2025 edition, the company had already said elevation-of-privilege and remote-code-execution bugs dominated the 2024 landscape, with 554 EoP flaws out of 1,360 total disclosures. The 2026 edition says that concentration around privilege did not fade; instead, the criticality of the mix increased. (beyondtrust.com) That shift lines up with how enterprise intrusions often unfold. An attacker who already has a foothold can use an elevation bug to reach administrator, domain, or cloud control-plane privileges. BeyondTrust explicitly tied the trend to identity as the primary attack vector, and BleepingComputer said the pattern highlights identity abuse and escalation paths rather than simple internet-facing exposure. (beyondtrust.com) ### Which Microsoft areas stood out in the report? Azure and Dynamics 365 were among the sharpest movers. BeyondTrust said those product areas saw a ninefold increase in critical vulnerabilities in 2025. Its earlier 2025 report had said Azure and Dynamics 365 vulnerabilities had plateaued in 2024, making the later jump notable in year-over-year comparison. Office also drew attention. (bleepingcomputer.com) Third-party coverage of the BeyondTrust report said Microsoft Office vulnerabilities jumped 234%, adding to concern around productivity tools and identity-adjacent workflows, though the primary BeyondTrust press summary emphasized the broader critical-risk surge more than Office specifically. ### How should defenders read the numbers? The report argues for triage by authority path, not just by reachability. (beyondtrust.com) BeyondTrust’s framing suggests security teams should rank flaws by whether they can expand privileges, tamper with identity systems, or compromise administrative paths. That means directory services, cloud control planes, admin endpoints, CI/CD systems, and secrets infrastructure may deserve faster remediation than a longer list of lower-impact exposed assets. That prioritization is an inference drawn from the report’s data and language about privilege-centric risk. (expertinsights.com) Microsoft’s Security Update Guide remains the company’s primary reference for current fixes and affected products. The next useful checkpoint will be whether monthly disclosures continue to show a heavy concentration in elevation-of-privilege and other identity-adjacent categories, or whether the 2025 mix proves temporary. (portal.msrc.microsoft.com) (beyondtrust.com)