Microsoft reported a record-breaking 1,360 vulnerabilities in its products last year, an all-time high and an 11% increase over the previous record of 1,292 in 2022, according to new report from cybersecurity firm BeyondTrust.
Microsoft Office vulnerabilities in particular nearly doubled from 2023, reaching 62 in 2024.
At the same time, the cybersecurity firm reports that the longer-term trend shows the pace of growth in vulnerabilities appears to be stabilizing. “This, combined with the continued downward trend toward fewer critical vulnerabilities, suggests Microsoft’s security initiatives and improvements in the security architecture of modern operating systems are paying off,” the authors note.
However, the report warns of the “complexity of securing today’s vast and diverse ecosystems, where evolving technologies, features, and interdependencies continue to introduce risk.”
Other findings from the report include:
- Elevation of Privilege (EoP) and Remote Code Execution (RCE)—primary goals of any threat actor looking to exploit a system—continue to dominate the vulnerability categories.
- Elevation of Privilege (EoP) vulnerabilities comprised 40% (554) of all reported vulnerabilities.
- Critical vulnerabilities across the Microsoft ecosystem continued to decline overall in 2024.
- Security Feature Bypass vulnerabilities surged by 60%, increasing from 56 in 2023 to 90 in 2024, increasing the pressure to reduce software vulnerabilities at the design stage through secure coding and threat modeling.
- Microsoft Edge vulnerabilities increased by 17% to 292 total vulnerabilities, including 9 critical vulnerabilities in 2024, compared to zero in 2022.
- Microsoft Azure and Dynamics 365 vulnerabilities plateaued in 2024.
- There were 587 Windows vulnerabilities in 2024; 33 were critical.
- Windows Server had 684 vulnerabilities in 2024; 43 were critical.
The report includes insights from private and public sector cybersecurity experts on how practices such as enforcing least privilege and zero trust, prioritizing vulnerability management, and securing remote access pathways help in defending a Windows environment against present and future threats.
“One of the biggest causes of data breaches is compromised credentials. Overprivileged user accounts are the low hanging fruit attackers are looking for, and they will always take the path of least resistance. It’s crucial to secure your privileged accounts (and all pathways to them) to avoid sneaky attack vectors and lateral movement through your network,” Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, comments in the report.
Sami Laiho, senior technical fellow, Microsoft MVP (Most Valuable Player), writes that while Microsoft reached an all-time record for vulnerabilities, the amount has now stayed near the same level for five years in a row. At the same time, Laiho says, it’s important to know that there were 40,000 common vulnerabilities and exposures reported in total in 2024. “While Microsoft is just a small portion of those, the role that Windows plays as the most used desktop operating system means it’s the one that usually shows the actual ransomware note to the user and is the final end-game target for the attacker,” he says in the report.
Laiho adds that since most identity-targeted attacks will target the routes that people use for online services, the rise in the number of vulnerabilities in Edge and Office is of concern. “The good news is that proactive measures will help you in the task—even if it seems almost impossible,” he adds.
“This year’s data offers a clear reminder that the threat landscape isn’t slowing down—it’s rapidly evolving,” said James Maude, field chief technology officer at BeyondTrust. “The sustained dominance of Elevation of Privilege vulnerabilities highlights how valuable privileges are to attackers and why they will continue to target identities with privileges to move laterally and gain access to critical systems. These trends reinforce the need for organizations to focus not just on patching, but on securing the underlying Paths to Privilege across their environments to reduce the attack surface of every identity and point of access.”
BeyondTrust offers protection for what it calls Paths to Privilege and sees privileged access management (PAM as the keystone of a robust identity security strategy. It offers a AI-driven PAM platform called Pathfinder.
Was this article valuable?
Here are more articles you may enjoy.
Questions About How a Deputy’s Stepson Became the Accused Gunman at FSU Shooting 
White House Seeks to Bring Financial Regulators Under Its Sway 
Allstate Agent Can Be Sued Over Nonrenewal of ‘Grandfathered’ Flood Insurance Policy 
Marsh Sues Aon, Ex-Team Leader Over Exit of 20 Construction Surety Employees 
