A cyber incident at a key passenger processing provider triggered widespread check-in disruptions across several European airports, forcing airlines and ground handlers to revert to manual procedures. Collins Aerospace confirmed a “cyberattack-linked outage” affecting its ARINC SelfServ vMUSE software—technology that underpins self-service kiosks and staffed counters for check-in, bag drop, and boarding pass printing.
What happened: timeline and impact across European airports
The outage began on Friday, 19 September 2025, impacting airports including Berlin, Brussels, and London. With parts of the registration infrastructure unavailable, airport teams switched to manual processing and deployed additional laptops as contingency. The severity varied by location, depending on how many counters and kiosks ran vMUSE and whether fully tested backup procedures and capacity were in place.
Operational disruption: cancellations and delays at Brussels and Heathrow
Brussels Airport asked airlines to cancel about 140 flights on Monday, stating the vendor had not yet provided a “new secure version” of the check-in system. The airport had already canceled 25 flights on Saturday and 50 on Sunday.
According to Flightradar24, 90% of 350 flights at London Heathrow on Sunday were delayed by at least 15 minutes, with six cancellations and an average delay of 34 minutes. On Saturday, a further 13 flights were canceled and most departures experienced delays. The European Commission emphasized that flight safety and air traffic management were not affected, with disruptions confined to ground IT systems supporting passenger processing.
Why vMUSE is a single point of failure in airport IT
ARINC SelfServ vMUSE is a virtualized, multi-tenant platform in the CUTE/CUPPS family that allows multiple airlines to share common counters and kiosks. This improves utilization and reduces cost, but it also concentrates risk: a platform-layer compromise can simultaneously impact many stakeholders. Without robust network segmentation and active/active failover architectures, outages propagate quickly—from longer queues to large-scale cancellations.
Probable attack vectors and supply-chain risk
Attribution remains unknown. Plausible scenarios include a supplier-focused supply-chain compromise, credential theft leading to malicious code deployment, or ransomware targeting critical platform components. The aviation sector has faced analogous events: the SITA Passenger Service System breach (2021) exposed supply-chain fragility, while periodic outages at industry platforms have caused global knock-on delays. European and international guidance, including NIS2 implementation and best practices in NIST SP 800‑161 for supply chain risk management, highlight the need to harden shared platforms and validate the integrity of update channels.
Resilience gaps and effective responses
Manual check-in and boarding pass printing are standard business continuity measures that sustain minimal passenger throughput. However, they sharply reduce capacity and increase error rates. This incident surfaced several bottlenecks: limited isolation of critical registration services, insufficient ready-to-run backup capacity at terminals, and constrained ability to roll back to golden images or switch kiosks to offline, signed, and verified profiles.
Actionable cybersecurity recommendations for airports and airlines
Strengthen third‑party risk governance: mandate periodic audits, red-team exercises, and tabletop simulations; include contractual RTO/RPO, tested rollback plans, and hard requirements for MFA, least privilege, and privileged access management at the vendor. Require cryptographic code signing and integrity verification for software updates, with documented release provenance.
Architect for isolation and recoverability: implement microsegmentation within terminal networks, apply Zero Trust access controls, and enforce application allowlisting for kiosks. Maintain immutable backups, pre-staged “clean” images, and active/active failover where feasible to prevent platform-level single points of failure.
Operational readiness: continually train staff on expedited manual flows, maintain sufficient printers and autonomous workstations, and refine passenger communications and traffic rebalancing between terminals and flights to reduce congestion during extended outages.
The Collins Aerospace incident underscores how a shared, centralized check-in platform can become a systemic chokepoint for the aviation ecosystem. Accelerating architectural upgrades—deeper segmentation, active/active resilience, and stringent vendor cyber requirements—will reduce the probability and impact of the next supply‑chain disruption. Proactive risk management, rooted in tested recovery playbooks and verifiable software integrity, is the shortest path to keeping passengers moving when the platform layer comes under attack.
