The machines are already inside: Microsoft's critical flaws doubled as AI agents flooded the enterprise
Enterprise AI agents surged 467% in a single year, pouring into a Microsoft identity infrastructure whose most dangerous vulnerabilities rose ninefold over the same period — and the disclosure systems built to warn businesses about these risks are increasingly unable to see them.
That is the central finding buried inside the 13th edition of BeyondTrust's Microsoft Vulnerabilities Report, released this month. On the surface, the report tells a familiar story: total Microsoft vulnerabilities dipped slightly, from 1,360 in 2024 to 1,273 in 2025, a 6% decline. Below the surface, the numbers describe something closer to a structural break in how enterprise security works.
Critical vulnerabilities doubled year-on-year, climbing from 78 to 157. Microsoft Azure and Dynamics 365 saw critical flaws rise from four to 37, a ninefold increase concentrated in the cloud identity layer where modern businesses authenticate their users, their applications, and increasingly their autonomous software agents. Microsoft Office critical vulnerabilities jumped tenfold, from three to 31. Elevation of Privilege, the category attackers use to turn a foothold into full control, accounted for 40% of all Microsoft vulnerabilities last year.
And running alongside all of this, BeyondTrust's Phantom Labs research team observed a 466.7% year-on-year increase in AI agents operating within enterprise environments. These are not chatbots or productivity assistants. They are non-human identities — service accounts, APIs, bots, containers, and autonomous AI agents — that authenticate and act without human involvement, often with standing privileged access and without the governance applied to human employees.
"Attackers aren't trying to overpower your security stack," said Marc Maiffret, Chief Technology Officer at BeyondTrust, who has been disclosing Microsoft vulnerabilities since the late 1990s. "They're looking for an over-privileged service account, the unpatched critical vulnerability, and the AI agent with unconstrained access. One good position and the submission is inevitable."
A measurement system losing its grip
The report exposes a widening gap between what Microsoft classifies as critical and what the National Vulnerability Database, the scoring system most enterprise patching programmes rely on, classifies as critical. Microsoft rated 157 vulnerabilities critical in 2025. NVD rated 42 of the same flaws critical. For any Chief Information Security Officer making patching decisions based on NVD scores alone, that is a 73% underestimate of their exposure.
The report goes further, noting that many of the most consequential cloud and AI vulnerabilities never receive a CVE identifier at all, placing them entirely outside the formal disclosure system. This matters because the entire architecture of enterprise vulnerability management — budgets, board reporting, cyber insurance underwriting, compliance frameworks — is organised around CVEs and the monthly Patch Tuesday cadence.
That architecture assumed the attack surface was made of software running on machines operated by humans. It is no longer.
One token to own them all
The report highlights a vulnerability that shows what is now at stake. CVE-2025-55241, a critical flaw in Microsoft's Azure Entra ID identity service, could have allowed an attacker to impersonate any user in any organisation's tenant, including Global Administrators. Microsoft assigned it the maximum CVSS score of 10.0 and patched it in July 2025. There is no indication it was exploited in the wild.
The more troubling detail is that exploitation would have left no logs in the victim's tenant. An attacker finding this flaw before Microsoft did would have had a master key to the identity layer of countless enterprises, with no forensic trail to follow. The vulnerability was caused by older cloud components and unusual token flows that most administrators never see day to day, sitting in the plumbing of the identity system rather than in any application users interact with.
Alongside CVE-2025-55241, the report documents CVE-2025-32711, known as EchoLeak — a zero-click vulnerability in Microsoft 365 Copilot that allowed confidential data to be leaked through AI model manipulation with no user interaction required. Together these flaws describe a new class of enterprise risk: vulnerabilities in the systems that define trust itself, exploitable through the autonomous AI agents that increasingly operate on top of them.
The ghost in the machine
BeyondTrust frames this expanding attack surface as "the ghost in the machine" — the population of non-human identities that now outnumber human users by orders of magnitude in most enterprise environments, and that hold privileges rarely scrutinised with the rigour applied to human accounts.
"Non-human identities are no longer a side issue," said David Morimanno, Field CTO at Xalient, in commentary contributed to the report. "Service accounts, automation, API-driven workloads, service principals, and now AI agents are becoming active participants in business operations. The problem is that many organisations still govern them like background plumbing instead of treating them as identities with access, authority, and risk."
The properties that make these identities useful to businesses — always-on execution, broad connectivity, privileged access — are the same properties that make them attractive to attackers. They often rely on long-lived credentials, rarely have multi-factor authentication equivalents, are almost never monitored for unusual behaviour, and frequently carry excessive privilege accumulated over time without review.
Katie Moussouris, founder and CEO of Luta Security, put the governance gap in sharper terms. "Most organisations would not give a new employee standing admin access with no monitoring and no lifecycle governance. That is exactly what they are doing with agentic AI today."
Patching is no longer a strategy
The report is unusually direct on a point that much of the security industry has been reluctant to say plainly: patching alone is no longer sufficient.
"Patching is essential, but it is not a security strategy by itself," Morimanno said. "If privilege is excessive, trust is assumed, and access paths remain overexposed, then a patched environment can still be an insecure environment."
Sami Laiho, Senior Technical Fellow at Adminize and a Microsoft MVP, reached a similar conclusion. "The true risk in modern environments is not the presence of vulnerabilities, but the presence of unnecessary privilege. Organisations that continue to prioritise patching without addressing privilege will find themselves repeatedly exposed to the same attack patterns."
The argument running through the report is that vulnerability management as a discipline needs to be restructured around identity and privilege rather than CVEs. Elevation of Privilege is the dominant vulnerability category for a reason — attackers are not seeking access, they are seeking the power to act as trusted identities once inside. Whether that identity belongs to a human employee, a service account, or an autonomous AI agent is increasingly beside the point.
Removing local administrator rights has historically mitigated around 75% of Microsoft's critical vulnerabilities, according to the report. The principle of least privilege — granting identities only the access they genuinely need — remains one of the few controls that consistently reduces impact across known and unknown attack vectors. Applying it rigorously to non-human and AI identities, the report argues, is now the defining security challenge.
The compressing window
Bradley Smith, SVP and Deputy CISO at BeyondTrust, framed the urgency in operational terms. "Critical vulnerabilities doubled year over year. Elevation of Privilege continues to dominate at 40% of all vulnerabilities. Cloud identity flaws like CVE-2025-55241 demonstrate that a single compromised identity can collapse trust boundaries across an entire tenant. And yet, the dominant response from most organisations remains the same: patch when we can, budget when we must, act when something breaks. We have to stop betting that the breach will happen to someone else first."
Smith pointed to a tightening of the exploitation window from two directions. AI is accelerating how quickly attackers can weaponise newly disclosed vulnerabilities. Geopolitical tension is expanding the set of adversaries actively targeting enterprise identity infrastructure. "The gap has never been knowledge," he said. "It has always been the willingness to act on what we already know, before the incident forces the decision."
Jane Frankland MBE, founder of the IN Security Movement, argued that the data the report captures today is only the beginning of what is coming. "The data doesn't yet capture this, but it will. AI agents inherit identity, access, and privilege. Most are being deployed without the governance rigour we apply to human accounts."
What readers should take away
For businesses, the practical conclusion is uncomfortable. An organisation can be fully patched, fully compliant, and fully insured while carrying risks it has no instrument to measure. The 467% surge in enterprise AI agents means most companies now have a population of autonomous software identities inside their systems that they have not inventoried, cannot monitor, and did not design governance for. The 9x rise in critical Azure vulnerabilities means the cloud layer where those identities authenticate is producing record numbers of the most severe flaws. The CVE disclosure system, the 73% gap between NVD and Microsoft scoring, and the growing class of uncatalogued cloud and AI vulnerabilities mean the usual warning systems cannot be relied upon.
The real attack surface is no longer the software a business runs. It is the identities — human, machine, and increasingly agentic — that operate inside it. The question is no longer whether organisations will be breached through that surface. It is whether they will know when it happens.