Surge in Microsoft critical vulnerabilities driven by privilege escalation and cloud platform flaws
Summary
Hide ▲
Show ▼
Microsoft disclosed 1,273 vulnerabilities in 2025, a slight decrease from 1,360 in 2024, but critical vulnerabilities doubled year-over-year from 78 to 157, reversing a multi-year downward trend. Elevation of Privilege (EoP) vulnerabilities accounted for 40% of all CVEs, while Information Disclosure flaws rose by 73%, indicating a shift in attacker focus toward stealth, reconnaissance, and lateral movement. Cloud platforms such as Microsoft Azure and Dynamics 365 saw critical vulnerabilities spike from 4 to 37, highlighting escalating risks in identity and access management (IAM) and control planes. On endpoints and servers, Windows Server vulnerabilities increased to 780, with 50 classified as critical, while Microsoft Office vulnerabilities surged 234% year-over-year, rising to 157 total and 31 critical vulnerabilities, reflecting broader exploitation of productivity software for initial access.
Timeline
-
19.05.2026 17:00 1 articles · 23h ago
Microsoft critical vulnerabilities surge in 2025, driven by privilege escalation and cloud platform flaws
Analysis of Microsoft’s 2025 vulnerability disclosures shows critical vulnerabilities doubled year-over-year to 157, with Elevation of Privilege (EoP) and Information Disclosure flaws rising sharply. Critical flaws in Microsoft Azure and Dynamics 365 increased from 4 to 37, while Windows Server vulnerabilities totaled 780 with 50 critical, and Microsoft Office vulnerabilities surged 234% to 157 total (31 critical). CVE-2025-55241, a critical Entra ID flaw, demonstrated the impact of cloud identity compromise with token forgery enabling cross-tenant access without detectable logs.
Show sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00
Information Snippets
-
Microsoft disclosed 1,273 vulnerabilities in 2025, a decrease from 1,360 in 2024, but critical vulnerabilities doubled from 78 to 157.
First reported: 19.05.2026 17:001 source, 1 articleShow sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00
-
Elevation of Privilege (EoP) vulnerabilities accounted for 40% of all Microsoft CVEs in 2025, while Information Disclosure flaws rose by 73% year-over-year.
First reported: 19.05.2026 17:001 source, 1 articleShow sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00
-
Microsoft Azure and Dynamics 365 critical vulnerabilities increased from 4 to 37 in 2025, despite a slight overall decline in total vulnerabilities for these platforms.
First reported: 19.05.2026 17:001 source, 1 articleShow sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00
-
Microsoft Windows Server vulnerabilities rose to 780 total, with 50 classified as critical in 2025.
First reported: 19.05.2026 17:001 source, 1 articleShow sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00
-
Microsoft Office vulnerabilities surged 234% year-over-year, increasing from 47 to 157 total, with critical vulnerabilities jumping from 3 to 31 in 2025.
First reported: 19.05.2026 17:001 source, 1 articleShow sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00
-
CVE-2025-55241, a critical Entra ID flaw patched in July 2025, allowed attackers to forge tokens accepted across any tenant, leaving no trace in victim logs.
First reported: 19.05.2026 17:001 source, 1 articleShow sources
- Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation — www.bleepingcomputer.com — 19.05.2026 17:00