Collins Aerospace cyberattack

The Collins Aerospace cyberattack is an attack on vMUSE check-in and boarding software created by Collins Aerospace.^[1][2][3] The attack affects several European airports.^[1][2]

Airports are connected via a platform called vMUSE, which in turn uses a dedicated VPN called ARINC AviNet. ARINC was previously an independent company, but it operated as part of Collins from 2018 until the date of the incident. According to UpGuard, a cybersecurity company, the outage across airports indicates that AviNet was compromised.^[4]

Attack

19 September 2025

Brussels Airport reported that their passengers were being checked-in and boarded manually.^[1] Berlin Brandenburg Airport reported increased waiting times due to the attack.^[1]

RTX Corporation, the parent of Collins Aerospace, said they were "aware of a cyber-related disruption" to their computers in "select airports" and they were trying to resolve the issue.^[1]

20 September 2025

Heathrow Airport reported delays.^[1] British Airways was able to operate with a backup system, but other airlines were affected by the attack on the Muse system.^[1] The National Cyber Security Centre announced they were working with Collins Aerospace on the problem.^[1]

21–22 September 2025

Dublin Airport reported a second day of disruption to the check-in and luggage handling in Terminal 2,^[5] which continued for a third day.^[6] The European Union Agency for Cybersecurity confirmed the attack to be ransomware.^[7][8]

23 September 2025

Dublin Airport operator daa said that there is no timeline for a fix to the problems caused by the attack and that check-in and baggage handling may take longer than usual.^[9]

Dr Richard Browne, director of the National Cyber Security Centre, said "We have all of the technical details from the incident, and we know, or we believe we know, who the actual group is. Precisely where they're based is always going to be interesting and difficult to try and work out" and "The other thing to keep in mind here is that we know the malware strain used. So this is the wholesaler or the reseller of the malware, we don't know who actually conducted the incident."^[9] He also said "This will be an affiliate, basically a customer of the ransomware family and they will go out and actually conduct the incident. Who this group is, we don't know yet."^[9]

29 September 2025

Brussels Airport begin rolling out a replacement system, also by Collins.^[10] This marks the end of a period where 10% of flights were continually cancelled.