{"id":15370,"date":"2026-04-24T11:57:15","date_gmt":"2026-04-24T11:57:15","guid":{"rendered":"https:\/\/www.europesays.com\/ai\/15370\/"},"modified":"2026-04-24T11:57:15","modified_gmt":"2026-04-24T11:57:15","slug":"critical-microsoft-flaws-double-as-ai-supercharges-discovery","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ai\/15370\/","title":{"rendered":"Critical Microsoft flaws double as AI supercharges discovery"},"content":{"rendered":"

Despite overall vulnerability volumes stabilising across Microsoft\u2019s security ecosystem, last year saw a flood of critical flaws linked to the rapid acceleration of AI in cybersecurity, according to new research from BeyondTrust.<\/p>\n

The identity security provider\u2019s latest Microsoft Vulnerabilities Report<\/a>, which analyses data from publicly issued Microsoft security bulletins over the last year, reveals that while 2025 saw a 6% decrease in total vulnerabilities, the number of critical vulnerabilities doubled, rising from 78 to 157.<\/p>\n

The report found sharp increases in security issues across key Microsoft platforms that had previously seen declining vulnerability activity, including Microsoft Azure and Dynamics 365, which experienced a 9x increase in major flaws, rising from just four to 37.<\/p>\n

\"FS<\/a><\/p>\n

At the same time, Microsoft Office vulnerabilities surged to 157, more than tripling year-over-year, with the software seeing a 10x increase in critical vulnerabilities, a worrying level of risk for one of the world\u2019s most widely used productivity tools.<\/p>\n

BeyondTrust tied this reversal of a multi-year downward trend to AI\u2019s role in accelerating the vulnerability discovery process, while also allowing attackers to analyse patches, reverse engineer fixes, and operationalise exploits faster.<\/p>\n

The cyber firm said that the contrast between the surface-level decline in total vulnerabilities and the spike in critical flaws may also indicate that traditional vulnerability tracking is no longer capturing the full picture, particularly as AI systems, non-human identities, and complex cloud architectures introduce risks that don\u2019t map cleanly to CVEs.\u00a0<\/p>\n

However, even as the landscape shifts, time\u2011honoured tactics still work. Elevation of Privilege (EoP) vulnerabilities accounted for 40% (509) of all vulnerabilities, reinforcing their role as the most direct path for attackers to escalate access and compromise critical systems.<\/p>\n

\u201cDon\u2019t be distracted by the dip in total vulnerabilities,\u201d said James Maude, field CTO at BeyondTrust.<\/p>\n

\u201cCritical vulnerabilities doubled. This is a warning that risk is not decreasing, it is concentrating, and it is concentrating around privilege. Elevation of Privilege made up 40% of all vulnerabilities again this year because that is exactly what attackers need to reach critical systems.\u201d<\/p>\n

Recommended reading<\/p>\n

The report sets out key priorities firms should consider for the year ahead, including enforcing least\u2011privilege access to limit the blast radius of an attack, adopting identity-first strategies for all identities, both human and non-human, and shifting focus from individual vulnerabilities to tackle paths to privilege.<\/p>\n

\u201cA ninefold increase in Azure and Dynamics 365 critical vulnerabilities shows where that concentration is happening. Combined with the rising tide of identity compromise attacks that exploit standing privilege, patching alone will not close this gap,\u201d said Maude.<\/p>\n

\u201cThe organisations that weather this are the ones treating every vulnerability and identity, human or machine, as a potential path to privilege in their most critical systems, and shrinking those paths before an attacker reaches them.\u201d<\/p>\n

\n\tRelated<\/p>\n","protected":false},"excerpt":{"rendered":"Despite overall vulnerability volumes stabilising across Microsoft\u2019s security ecosystem, last year saw a flood of critical flaws linked…\n","protected":false},"author":2,"featured_media":15371,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[420,7829,11532,11533,11534,320,7828,10793],"class_list":{"0":"post-15370","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-microsoft","8":"tag-azure","9":"tag-azure-ai","10":"tag-beyondtrust","11":"tag-critical-vulnerabilities","12":"tag-least-privilege","13":"tag-microsoft","14":"tag-microsoft-ai","15":"tag-microsoft-office"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/15370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=15370"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/15370\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/15371"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=15370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=15370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=15370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}