On 19 September 2025 a cyber intrusion against Collins Aerospace’s MUSE passenger-processing platform forced major European airports to revert to pen-and-paper operations. This report explains what happened, why it mattered, and the practical steps airports, airlines and vendors must take to avoid a repeat.
What happened — the operational shock
On 19 September 2025, a sophisticated cyber incident targeted the MUSE family of passenger-processing products from Collins Aerospace (often referred to as cMUSE or vMUSE). The attack disrupted automated check-in kiosks, bag-drop interfaces and gate boarding systems at several high-throughput airports — including London Heathrow, Brussels and Berlin Brandenburg — causing long queues, delays, multiple cancellations and temporary diversions.
Reports from industry intelligence firms and press outlets indicate the outage forced airports into manual fallback mode for hours, demonstrating how a single vendor outage can cascade into systemic operational disruption across carriers and terminals.
What is MUSE — and how it differs from airline PSS platforms
MUSE is a common-use passenger processing system (CUPPS). Its role is to enable shared terminal infrastructure — kiosks, counters and boarding gates — to be used by multiple airlines. That contrasts with a Passenger Service System (PSS) such as Navitaire (part of Amadeus), which focuses on airline commerce: reservations, ticketing, merchandising and revenue management.
In short: MUSE runs the physical passenger flow at the airport; Navitaire runs airline commercial systems. Both are critical, but they live at different layers of the travel stack — and a failure in the CUPPS layer can immediately affect thousands of passengers standing at kiosks and boarding gates.
| Aspect | MUSE / cMUSE / vMUSE | Navitaire |
| Primary function | Common-use passenger processing (check-in, kiosks, bag-drop, boarding gates) | Passenger Service System (PSS): reservations, ticketing, merchandising, revenue mgmt |
| Primary users | Airports and terminal operators; airlines using shared infrastructure | Airlines |
| Deployment model | On-premises or cloud; CUPPS-compliant integrations | Cloud-native, API-driven PSS |
| Typical interfaces | Kiosks, printers, biometric readers, gate systems (CUTE/CUPPS standards) | Distribution APIs, NDC, EDIFACT, REST for commerce and booking |
| Operational risk | Single point failure at terminal level — immediate physical passenger impact | Business continuity, revenue loss and check-in integrity if integrated with airport systems |
Anatomy of the attack
Intelligence collected by several security firms points to a supply-chain compromise pattern: an initial intrusion into the vendor environment, followed by propagation to tenant airports. Threat actor attribution remains unsettled — analysts have proposed motives and capabilities ranging from hacktivist disruption to ransomware sabotage and state-sponsored operations — but common techniques line up with the MITRE attack taxonomy: supply-chain access (T1195), phishing (T1566), lateral movement and service stoppage (T1489).
- Extended processing times at check-in and boarding points.
- Multiple cancellations, diversions and delays at affected airports.
- Use of pen-and-paper logs to maintain continuity.
Where MUSE and Navitaire sit in the travel stack
Practical recommendations (operational & technical)
- Regular fallback drills: execute realistic manual check-in and boarding exercises with carriers and ground staff; test timelines and communication plans.
- Vendor risk governance: include rigorous cybersecurity SLAs, independent audits and mandatory breach notification windows in contracts with CUPPS/PSS vendors.
- Network segmentation: isolate CUPPS infrastructure from general corporate networks and strictly control vendor remote access with phishing-resistant MFA and jump hosts.
- Immutable backups: maintain offline, write-once backups for critical configurations and assets to enable restoration after ransomware or destructive attacks.
- Active threat hunting: monitor for credential leaks, suspicious admin logins and dark-web chatter tied to airport assets or vendor services.
- Staff training: ensure front-line staff know escalation paths and have quick reference procedures for manual operation modes.
Technical table: suggested compatibility & interface checklist
| Component | Protocol / Standard | Security Controls | Notes |
| CUPPS / MUSE endpoints | CUPPS / CUTE, SOAP/REST for vendor APIs | Mutual TLS, client certs, strong MFA for admin access | Segmented VLANs; restrict source IPs for vendor management |
| Kiosks & Gate HW | Proprietary device protocols; SSH/SNMP for management | Device hardening, signed firmware, tamper detection | Least-privilege networks; offline functional fallbacks |
| PSS (Navitaire) | NDC, EDIFACT, REST APIs | API gateways, WAF, rate limits, per-client credentials | Use service accounts per airline; rotate keys often |
| Admin & Vendor access | RDP/SSH, VPN, vendor portals | Privileged access management, just-in-time access, session recording | Avoid permanent standing admin accounts |
| Telemetry & Detection | Syslog, EDR, SIEM integration | Centralized logging, long retention, anomaly detection | Correlate vendor telemetry with airport telemetry |
How RELIANOID helps secure these applications
Vendor diligence is necessary but not sufficient. RELIANOID’s Application Delivery Controller (ADC) offers a layered protection model that augments vendor hardening: advanced load balancing to absorb and distribute traffic spikes, integrated Web Application Firewall (WAF) rules to block common application-layer attacks, SSL/TLS termination and inspection to detect malicious payloads, and DDoS mitigation to preserve availability during volumetric incidents. Deployed in front of CUPPS endpoints or airline PSS (such as Navitaire), RELIANOID can implement strict access policies, rate limiting, and health-check-driven failover — turning single-vendor outages into manageable incidents rather than systemic shutdowns. Check our technical article about load balancing these applications and RELIANOID use cases in the field.
Conclusion
The September 2025 disruption that moved airports “from MUSE to manual” is a stark reminder that digitization concentrates operational risk. Aviation’s reliance on third-party platforms requires industrywide coordination: routine fallback testing, contractual security guarantees, segmented architecture and resilient infrastructure. With a combination of operational preparedness and technical controls — including ADCs, WAFs, immutable backups and strong access governance — airports and airlines can reduce the odds that a single vendor breach becomes a continent-wide travel crisis.
Related Blogs
