September Security Roundup
Published: 24 September 2025
From airport check-in outages to identity vulnerabilities and AI-driven exploits, this month’s threats highlight the impact of supply-chain compromise and the speed at which new threats emerge. Our SOC team spotlight these threats and the actions to stay secure.
Headlines:
- Supply-chain attack on airport check-in software
- Entra ID vulnerability allowed global admin takeover across tenants
- Zero-click prompt injection steals Microsoft 365 Copilot data
- AI generates working CVE exploits in 15 minutes
- ICO issues new cyber hygiene guidance for SMBs
- State-linked actors escalate identity and supply-chain attacks
Collins Aerospace cyberattack hits airport check-in systems
A cyberattack against Collins Aerospace’s Muse check-in/boarding software forced manual processing and caused delays and cancellations across several European airports from Fri 19 Sep into Mon 22 Sep. Heathrow, Brussels, Berlin, and Dublin reported disruption while Collins worked through recovery. ENISA confirmed the incident; NCSC coordinated with UK entities.
What’s the risk?
- Compromise of a key supplier can provide attackers with indirect access to sensitive systems.
- Disruption at one provider can ripple across the wider supply chain.
- State-linked actors are known to exploit such dependencies to bypass more secure primary targets.
Recommended actions:
Action point
Assure and test your critical third-party operational dependencies, and demand vendor remediation evidence now.
Entra ID flaw allowed global admin takeover across tenants
A critical vulnerability (CVE-2025-55241) in Entra ID’s legacy Azure AD Graph API combined with undocumented “Actor tokens” could have enabled attackers to impersonate any user, including Global Admins, in every Entra ID tenant worldwide. These tokens bypassed Conditional Access, left no useful logs, and granted full tenant-level control. Microsoft patched the flaw within days of disclosure and has since blocked requests for Actor tokens in Graph API calls.
What’s the risk?
- Actor tokens could be used to gain unrestricted access to tenant data and settings.
- Tokens bypassed MFA and Conditional Access, leaving no tenant-side logs.
- Exploitation could escalate to full compromise of Microsoft 365, Azure, and connected apps.
Recommended actions:
Action point
Audit for legacy Graph API dependencies and treat Actor-token style flaws as systemic risk.
EchoLeak: zero-click prompt injection steals Copilot data
A zero-click prompt-injection vulnerability (CVE-2025-32711, “EchoLeak”) allowed remote, unauthenticated exfiltration from Microsoft 365 Copilot via a single crafted email. Researchers published a detailed case study showing how multiple bypasses were chained to evade Copilot’s protections.
What’s the risk?
- Attackers can exfiltrate sensitive org data without user interaction, crossing LLM trust boundaries and bypassing filters that assume user consent.
- EchoLeak demonstrates prompt injection is now a practical, high-severity class of vulnerability for production AI copilots.
Recommended actions:
Action point
Patch Copilot, audit LLM connectors, and deploy LLM-specific controls now. Zero-click exploits are real and exploitable in production.
AI turns CVEs into exploits in 15 minutes
Researchers have shown that AI systems can automatically generate working exploits for newly disclosed CVEs in just 10–15 minutes, at a cost of about $1 per exploit. The pipeline analyses advisories and patches, builds test apps, and validates exploit code in sandboxed environments.
What’s the risk?
- The “grace period” between disclosure and exploitation may disappear.
- Attackers could mass-weaponise hundreds of CVEs almost instantly.
- Traditional patch cycles risk being overwhelmed.
Recommended actions:
Action point
Shorten your patching window and treat fresh CVEs as if exploits already exist.
Updated ICO guidance for UK small businesses
The ICO published updated cyber security tips for UK SMBs (17 Sep 2025), emphasising backups, strong passwords, MFA, software updates, and phishing awareness to reduce ransomware and data-loss risk.
What’s the risk?
- SMBs remain exposed to ransomware and credential theft due to patching gaps and weak controls.
Recommended actions:
Action point
Benchmark your SMB controls against the ICO checklist and close gaps within 30 days.
State-linked actors escalate activity and severity
UK commentary highlights increased targeting of public sector, defence, and critical supply chains by sophisticated actors. The NCSC Annual Review 2024 recorded a tripling of top-end, nationally significant incidents year-on-year, underscoring a trend to more severe events.
What’s the risk?
- Identity abuse, living-off-the-land, and supply-chain vectors increase the chance of impactful incidents against government and CNI.
Recommended actions:
From Our Blog
Cyber Essentials Plus: How to achieve it and why it matters
Cyber Essentials Plus (CE+) has a habit of sitting on the “to do” list.
Everyone knows it matters, but stretched IT teams, reluctant staff, and competing budgets push it down the queue.
The good news is, it doesn’t need to be a headache. When embedded properly, CE+ streamlines access, reduces helpdesk demand, and improves security scores. More importantly, it creates a culture where controls feel natural, future recertification becomes routine, and resilience grows stronger with each year.
Resources & References
Story 1: The Guardian / Reuters Story 2: Cornell University / The Hacker News Story 3: Dirk Jan Mollema / The Hacker News Story 4: Valemarelox Story 5: ICO Story 6: NCSC
Thanks to this month’s contributors from the Kocho SOC team: Adam Febery and James O’Neill.
Stay safe. Stay informed.
Get cyber confident
Real partnership. Microsoft expertise. Complete transparency.
Request a call back today.
- AI-powered rapid protection, from day one
- Dedicated Microsoft experts, by your side
- Powerful, intuitive reporting tools
- Collaboration and transparency as standard
