Report reveals Elevation of Privilege accounted for 40% of all Microsoft vulnerabilities in 2023

Report reveals Elevation of Privilege accounted for 40% of all Microsoft vulnerabilities in 2023

2024 BeyondTrust’s 2024 annual Microsoft Vulnerabilities Report pitched as a ‘prime illustration’ of the modern identity threat landscape.

BeyondTrust’s 2024 Microsoft Vulnerabilities Report shows that aafter hitting an all-time high in 2022, total vulnerabilities continue their 4-year holding pattern near their highest-ever numbers in 2023, remaining between 1,200 and 1,300 (since 2020).

The Elevation of Privilege vulnerability category continues to dominate, accounting for 40% (490) of the total vulnerabilities in 2023.

Denial of Service vulnerabilities climbed 51% to hit a record high of 109 in 2023, with Spoofing demonstrating a dramatic 190% increase – from 31 to 90.

The total number of critical vulnerabilities continues its downward trend, but slows its descent, dropping by 6% to 84 in 2023 (5 less than in 2022).

Other findings include:

  • After Microsoft Azure & Dynamics 365 vulnerabilities skyrocketed in 2022, they almost halved in 2023 – down from 114 to 63.
  • Microsoft Edge experienced 249 vulnerabilities in 2023, only one of which was critical.
  • There were 522 Windows vulnerabilities in 2023, 55 of which were critical.
  • Microsoft Office experienced 62 vulnerabilities in 2023.
  • Windows Server category had 558 vulnerabilities in 2023, 57 of which were critical.

“This report continues to highlight the need to keep improving security, not only at Microsoft, but also for all organisations who are looking to better manage cyber risks in the context of an evolving threat landscape,” said James Maude, Director of Research, BeyondTrust.

“This year’s report was a prime illustration of the modern identity threat landscape. The continued domination of Elevation of Privilege as the most common category of vulnerability and the identity crisis highlighted at the end of the report, underscore the importance of privilege and the timeless security concept of least privilege. It also emboldens BeyondTrust’s mission to provide the broadest level of visibility and protection of paths to privilege.”

Despite overall stability in the Microsoft vulnerabilities data, the report’s analysis of critical vulnerabilities and innovative threat tactics predict now is not the time to get complacent:

  • Vulnerabilities and unpatched systems will continue to provide threat actors a means of attack.
  • Expanding Microsoft technologies will continue to introduce new attack surfaces.
  • Novel vulnerabilities will continue to emerge as threat actors uncover innovative pathways through Microsoft’s systems.
  • Investments in research and security practices will continue to shift the way threat actors gain their foothold, as it becomes easier to steal an identity to gain access than to exploit a vulnerability.

Despite predicting an increase in the volume and sophistication of identity-based attacks, this year’s report shows once again that long-standing, foundational security principles like least privilege will continue to offer the best line of defence – even against modern threats – and that the organisations who successfully pair preventative security controls with threat detection and response will continue to be much better poised to withstand tomorrow’s threats.

Browse our latest issue

Intelligent CISO

View Magazine Archive