Findings from BeyondTrust’s recently released 12th annual Microsoft Vulnerabilities Report reveal a complex and evolving threat landscape. As evidence, consider that in 2024, Microsoft reported the highest number of vulnerabilities it has ever had (1,360). At first glance, this high number might seem alarming since it seems to point to a growing number of possible threats, which would be a negative trend.
Yet closer inspection uncovers a paradox in the data. While the total number of vulnerabilities is higher than ever, the total number classified as “critical” dropped to an all-time low – dropping from 196 in 2020 to just 78 in 2024. This drop represents real progress in Microsoft’s Secure Development Lifecycle (SDL) and the greater adoption of secure-by-design principles. Memory protections, automated patching, and attack-surface reduction have all made it harder for attackers to exploit core operating system components through traditional means.
For security professionals tasked with keeping their organizations safe, this contrast represents significant progress, yet it also delivers new challenges. On one hand, the decline in critical vulnerabilities shows real improvements in Microsoft’s core security architecture, especially related to Windows and other foundational Microsoft systems.
On the other hand, attackers seem to be changing their strategies and tactics. For example, instead of trying to breach newly hardened operating system components, they are turning their attention to softer targets. This shift suggests that while critical vulnerabilities may be declining, threat actors will continue to search for new weaknesses. As always, this requires defenders to up their game to keep pace and develop new approaches to prioritizing protection.
Kevin E. Greene, Chief Security Strategist, Public Sector at BeyondTrust, commented on the release of the report and the insights it offers. “Our Microsoft Vulnerabilities Report is a reminder that the more things change, the more things remain the same. The industry must change the way we build and develop software because there is no such thing as ‘secure software.’”
Attackers’ New Focus
The BeyondTrust report found that Microsoft Office vulnerabilities nearly doubled to 62 in 2024. It’s a natural and concerning development: Office is highly embedded in so many enterprise workflows, making it an accessible and high-value entry point for cyber attackers. Its widespread use and integration with email, macros, and document sharing also make it especially appealing for targeted attacks.
Robert Kramer, Vice President and Principal Analyst at Moor Insights & Strategy, explained how attackers are responding. “While the drop in critical Microsoft vulnerabilities is positive, the surge in overall flaws, especially in Office products and security bypass techniques, indicates a broader problem: attackers are becoming more strategic, exploiting overlooked areas where defenses are weaker or patching is slower,” he said. “This trend suggests a shift from purely technical weaknesses to operational resilience gaps.”
Phishing attacks and malicious macro-laced documents continue to be attackers’ preferred vectors. Despite years of warnings and built-in defenses, threat actors find new success by exploiting user behavior and inconsistent security controls across endpoints. The use of these tactics shows that application-layer vulnerabilities deserve more attention than security teams may have given in the past.
Additional Challenges: Security Feature Bypass Vulnerabilities
Another area experiencing troubling growth is Security Feature Bypass (SFB) vulnerabilities, which have tripled since 2020. These flaws allow attackers to circumvent built-in protections such as User Account Control (UAC), Windows Defender SmartScreen, and other security controls.
This trend also shows a shift in attackers’ behavior. Instead of wrestling with hardened OS components, threat actors are opting to completely evade detection and protection systems. This is a reminder that even the most advanced security features can become liabilities if adversaries continue to find ways around them. It also highlights the need for defenders to treat bypasses as seriously as exploits and re-evaluate the effectiveness of legacy cybersecurity systems that may no longer offer real protection.
Strategic Takeaways for Security Leaders
According to Kramer, these trends call for a fundamental shift in security strategy, especially related to modernizing older, potentially outdated security systems.
“Legacy systems, once considered lower-priority risks, are now prime targets due to their familiar, often under-protected pathways,” he said. “This means we need a security strategy that adapts to changing threats, predicts what attackers will do, and starts security early in the design of systems and workflows.”
Additionally, organizations need deeper visibility into application-layer risks. Office and other high-use applications represent a growing attack surface yet often receive less security scrutiny than core systems. Defenders must prioritize these apps, monitor for misuse, and consider behavior-based detection over signature-based approaches alone.
Finally, risk prioritization must evolve. A declining number of critical vulnerabilities doesn’t equate to lower threat levels. Instead of relying solely on severity scores, security leaders should weigh exploitability, ease of abuse, and the business impact of compromise to guide response and mitigation efforts.
Rethinking the Risk Map
The BeyondTrust report makes one thing clear: more vulnerabilities don’t necessarily mean more danger – but the nature of the risk is shifting. As attackers adapt to hardened OS defenses by targeting application-layer flaws and bypassing controls, defenders must adopt more adaptive strategies.
Security leaders should proactively audit outdated controls, elevate visibility into high-usage platforms like Office, and align prioritization strategies with real-world attacker behavior. In this evolving threat landscape, the greatest risk may come not from what’s newly discovered but from what’s long been overlooked.
