Microsoft vulnerabilities hit a record high in 2024
The latest annual Microsoft Vulnerabilities Report from BeyondTrust, reveals a record-breaking number of reported vulnerabilities last year.
Total vulnerabilities reached an all-time high of 1,360 in 2024, an 11 percent increase from the previous record of 1,292 in 2022. Elevation of Privilege (EoP) vulnerabilities comprised 40 percent of all those reported.
Security Feature Bypass vulnerabilities surged by 60 percent, increasing from 56 in 2023 to 90 in 2024, increasing the pressure to reduce software vulnerabilities at the design stage through secure coding and threat modeling.
Microsoft Edge vulnerabilities increased by 17 percent to 292 total vulnerabilities, including nine critical vulnerabilities in 2024, compared to zero in 2022.
On a more positive note critical vulnerabilities across the Microsoft ecosystem have continued to decline overall in 2024, while Microsoft Azure and Dynamics 365 vulnerabilities plateaued. This, along with a slower pace of growth in vulnerabilities, suggests Microsoft's security initiatives and improvements in the security architecture of modern operating systems are paying off.
"This year's data offers a clear reminder that the threat landscape isn't slowing down -- it's rapidly evolving," says James Maude, field chief technology officer at BeyondTrust. "The sustained dominance of Elevation of Privilege vulnerabilities highlights how valuable privileges are to attackers and why they will continue to target identities with privileges to move laterally and gain access to critical systems. These trends reinforce the need for organizations to focus not just on patching, but on securing the underlying Paths to Privilege across their environments to reduce the attack surface of every identity and point of access."
The report notes that unpatched systems remain an easy target, opening the door for widespread exploitation, while Microsoft’s expanding tech stack, including cloud and AI services, will continue to introduce new attack surfaces.
It also points out that novel vulnerabilities will emerge as attackers find new and creative ways to bypass defenses. Patches alone are insufficient to tackle the issue -- they can fail or introduce stability risks, underscoring the need for layered defenses. Threat actors are shifting tactics too, increasingly targeting identities and privileges over traditional exploits.
You can get the full report from the BeyondTrust site.
Image credit: IgorVetushko/depositphotos.com