European airport software attack and zero day ‘s are here
This week in security September 21 – 27 2025 , editor is Lior. Notable news from the internet. The most interesting new over the past week was a cyberattack targeting Collins Aerospace's check in software caused widespread disruptions across major European airports like Heathrow, Brussels, and Berlin, leading to delays, cancellations, and the use of manual systems. The incident, confirmed as a ransomware attack by the EU cybersecurity agency (ENISA), highlighted vulnerabilities in centralized aviation infrastructure. Investigations are ongoing, with one individual arrested in connection with the attack.
European airport software attack
What is it about
A cyberattack disrupted automatic check in, boarding pass issuance, and baggage dispatch systems at several major European airports. The affected software was provided by Collins Aerospace (RTX subsidiary), and the attack left many airports resorting to manual operations (handwritten boarding passes, use of laptops, etc.).
Details
The attack began late on Friday and continued through the weekend, causing delays, cancellations, and major disruptions at airports including London Heathrow, Brussels, Berlin, Dublin, among others. Brussels Airport canceled dozens of flights (60 out of ~550) and switched to iPads/laptops for check in. Berlin faced longer queues and delays, compounded by the Berlin Marathon increasing passenger volume. The EU cybersecurity agency (ENISA) confirmed the disruption was due to a ransomware incident targeting Collins Aerospace’s MUSE / check in systems. An individual was arrested in the UK (West Sussex) in connection with the attack on suspicion of misuse of computers; he has been released on conditional bail. Authorities assert that aviation safety (e.g. air traffic control) was not compromised only the passenger processing systems were affected. Investigations remain ongoing; the attack underscores the vulnerability of centralized infrastructure and third party dependencies in aviation.
Link
“European airports work to bring check in back to normal after cyberattack” (Reuters) Reuters
Also: “Ransomware attack behind widespread airport disruptions, EU agency says” Computing
Fortra GoAnywhere MFT exploited as zero day CVE 2025 10035
What is it about
A critical vulnerability (CVE 2025 10035) in Fortra’s GoAnywhere Managed File Transfer (MFT) software was actively exploited as a zero day before the vendor publicly disclosed it. The flaw lies in the License Servlet and allows command injection via unsafe deserialization under certain conditions.
Details
The vulnerability is a deserialization flaw in the License Servlet: an attacker with a forged license response signature can cause deserialization of malicious objects, enabling command injection. It was patched on September 18, 2025, in versions 7.8.4 and in the sustain branch 7.6.3. However, security firm watchTowr reports credible evidence that exploitation began around September 10 i.e. eight days before the patch and public advisory. In observed attacks, threat actors used the flaw (without authentication) to create a backdoor admin account, then used that access to upload further payloads. The exploit chain may involve more than just one bug: Rapid7 suggests three distinct issues are chained (an access control bypass, the deserialization flaw, and a mechanism to gain knowledge of a private key). Over 20,000 GoAnywhere MFT instances are internet exposed, raising the stakes of widespread impact. Mitigations recommended:
- Immediately restrict or block public internet access to the Admin Console.
- Apply the patch to 7.8.4 / 7.6.3.
- Monitor logs (especially exceptions referencing SignedObject.getObject) for signs of exploitation.
Link
“Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero Day” (SecurityWeek) SecurityWeek
Also: Fortra’s advisory “FI 2025 012 – Deserialization Vulnerability in GoAnywhere MFT’s License Servlet” Fortra
Cisco patches zero day in routers/switches (CVE 2025 20352)
What is it about
Cisco issued patches for a zero day vulnerability in its IOS / IOS XE software (used in routers and switches). The flaw lies in the SNMP subsystem and is already being exploited in the wild.
Details
The vulnerability is CVE 2025 20352 (CVSS 7.7), a stack overflow in the SNMP subsystem. Attackers can send malformed SNMP packets to exploit the flaw. Low privilege users can cause DoS; with more privileges, attackers can achieve remote code execution (root level) under certain conditions (e.g. having SNMP community strings or valid SNMPv3 credentials plus high privilege).
Affected devices include Meraki MS390 and Cisco Catalyst 9300 switches (running Meraki CS 17) and other platforms running vulnerable IOS / IOS XE releases
Cisco patched 14 vulnerabilities in the round, but this one was explicitly confirmed to be under active exploitation.
Cisco recommends immediate patching; no known effective workaround was indicated.
Link
“Cisco Patches Zero Day Flaw Affecting Routers and Switches” (SecurityWeek) SecurityWeek
Spoofed IC3 website warning by FBI
What is it about
The FBI warned that cybercriminals are creating spoofed versions of its Internet Crime Complaint Center (IC3) website to trick users into entering personal or financial data. The fake sites mimic the IC3 portal to capture information rather than lodge a legitimate complaint.
Details
These spoofed sites often use slight modifications of the legitimate domain (e.g. alternate spellings, different top level domains) to fool victims.
Users seeking to report cybercrime may be lured to the fraudulent sites and enter sensitive data (name, address, bank details, etc
The FBI’s PSA states that IC3 never asks for payment or uses third parties to recover lost funds, and it doesn’t maintain social media accounts, helping distinguish genuine vs fake.
Recommended precautions:
Access the IC3 site manually by typing www.ic3.gov rather than via search results.
Avoid clicking on sponsored links that appear in search engine results. Verify the URL ends with “.gov” and is authentic.
Do not share personal or financial data unless confirming the website is legitimate. Internet Crime Complaint
Link
“FBI Warns of Spoofed IC3 Website” (SecurityWeek) SecurityWeek
Also the FBI’s official PSA: “Threat Actors Spoofing the FBI IC3 Website” Internet Crime Complaint Center