BeyondTrust’s annual analysis of Microsoft Patch Tuesday data has found that total disclosures dipped 6% YoY to 1,273, even as critical-rated flaws doubled from 78 to 157.
The full 2026 report, covering calendar year 2025, argues the decline masks a concentration of risk around identity-driven attack paths, lateral movement, and the quiet escalation of privilege.
Office and productivity tools saw the biggest shift within the dataset. Total Microsoft Office flaws climbed 234% from 47 to 157, and critical-rated bugs jumped roughly tenfold.
Preview pane vulnerabilities such as CVE-2025-62554 and CVE-2025-62557 drove much of the spike, BeyondTrust said, letting attackers chain memory corruption flaws with zero-click exploitation.
The bigger issue, some researchers argue, is how quickly fixes get reverse-engineered. “Security researchers face a 90-day disclosure embargo, whereas nation-state sponsored threat actor groups are known to stockpile vulnerabilities indefinitely,” Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, told Expert Insights.
He added that enterprises should push development teams to “eliminate a vulnerability class rather than a single code path,” which would cut down on repeat bypasses.
Copilot and Agentic AI Enter the CVE Count
Microsoft Copilot drew attention as an emerging attack vector, BeyondTrust noted. CVE-2025-32711, known as EchoLeak, allowed zero-click exploitation against Microsoft 365 Copilot through AI model manipulation, while CVE-2025-59286 enabled command injection against the same platform.
BeyondTrust’s Phantom Labs team also reported a 466.7% YoY rise in agentic activity across corporate networks.
For Mark McClain, Chief Executive Officer at SailPoint, this confirms an overdue shift. “Identity is no longer about perimeter-based defense. The rise in AI-based agents, and the massively accelerating threat landscape, has rendered that approach inadequate,” he told Expert Insights, arguing that modern controls must govern not just who, but “what,” is able to act once inside.
BeyondTrust’s own data supports that framing. Elevation of Privilege accounted for 40% of all 2025 disclosures, and the report cautions that many cloud and AI-era risks never receive CVE identifiers at all, a gap traditional vulnerability management still struggles to close.
Additional figures in the BeyondTrust report include a ninefold rise in critical Azure and Dynamics 365 flaws, an 83% drop in Microsoft Edge disclosures, and 780 Windows Server vulnerabilities logged across the year.
