Microsoft Security Vulnerabilities Set Record High in 2024: BeyondTrust

Microsoft reported a record-breaking 1,360 vulnerabilities in its products last year, an all-time high and an 11% increase over the previous record of 1,292 in 2022, according to new report from cybersecurity firm BeyondTrust.

Microsoft Office vulnerabilities in particular nearly doubled from 2023, reaching 62 in 2024.

At the same time, the cybersecurity firm reports that the longer-term trend shows the pace of growth in vulnerabilities appears to be stabilizing. “This, combined with the continued downward trend toward fewer critical vulnerabilities, suggests Microsoft’s security initiatives and improvements in the security architecture of modern operating systems are paying off,” the authors note.

However, the report warns of the “complexity of securing today’s vast and diverse ecosystems, where evolving technologies, features, and interdependencies continue to introduce risk.”

Other findings from the report include:

• Elevation of Privilege (EoP) and Remote Code Execution (RCE)—primary goals of any threat actor looking to exploit a system—continue to dominate the vulnerability categories.
• Elevation of Privilege (EoP) vulnerabilities comprised 40% (554) of all reported vulnerabilities.
• Critical vulnerabilities across the Microsoft ecosystem continued to decline overall in 2024.
• Security Feature Bypass vulnerabilities surged by 60%, increasing from 56 in 2023 to 90 in 2024, increasing the pressure to reduce software vulnerabilities at the design stage through secure coding and threat modeling.
• Microsoft Edge vulnerabilities increased by 17% to 292 total vulnerabilities, including 9 critical vulnerabilities in 2024, compared to zero in 2022.
• Microsoft Azure and Dynamics 365 vulnerabilities plateaued in 2024.
• There were 587 Windows vulnerabilities in 2024; 33 were critical.
• Windows Server had 684 vulnerabilities in 2024; 43 were critical.

The report includes insights from private and public sector cybersecurity experts on how practices such as enforcing least privilege and zero trust, prioritizing vulnerability management, and securing remote access pathways help in defending a Windows environment against present and future threats.