Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation

Authored by: Morey J. Haber, Chief Security Advisor, BeyondTrust, and James Maude, Field Chief Technology Officer, BeyondTrust

As analyzed in the 2026 Microsoft Vulnerabilities Report, Microsoft disclosed 1,273 vulnerabilities in 2025, which represents a dip from 1,360 the prior year. The good news seems to be that total Microsoft vulnerabilities have remained in a stable range from 2020 – 2026.

But those numbers are the wrong ones to watch. Critical vulnerabilities doubled year-over-year, surging from 78 to 157, reversing a multi-year downward trend.

Stability in total vulnerability volume conceals instability in impact, and that is where organizations should focus their attention.

The most important clue in this data is not how many vulnerabilities were disclosed, but where they are concentrated and what they enable threat actors to potentially compromise.

Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation

Other newsrooms on this story

Related reading

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

Other newsrooms on this story

Related reading

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Microsoft's agentic security system MDASH uncovers four critical Windows RCE…

Microsoft’s new AI system finds 16 Windows flaws, including four critical RCEs

Microsoft warns of Exchange zero-day flaw exploited in attacks

Microsoft patch fell short. New Windows flaw exploited