This Week in Cybersecurity: Major Attacks, Zero-Days & Critical Threats (Sep 15-21, 2025)

This week in cybersecurity witnessed unprecedented turbulence during September 15-21, 2025, with major infrastructure attacks, critical vulnerabilities, and evolving ransomware campaigns dominating headlines. The security incidents that defined this week in cybersecurity represent some of the most sophisticated threats organizations have faced in 2025. This comprehensive analysis covers the most impactful developments that emerged during this volatile period.

Contents

Major Cybersecurity Incidents Critical Vulnerabilities and Zero-Day Exploits Ransomware Landscape Updates Infrastructure Attacks and Supply Chain Compromises Government and Policy Developments Looking Ahead: Key Takeaways FAQ’s

Major Cybersecurity Incidents

Jaguar Land Rover Production Shutdown

The most significant industrial cybersecurity incident of the week involved Jaguar Land Rover (JLR), which extended its global production shutdown through at least September 24, 2025. The attack, attributed to the Scattered Lapsus$ Hunters group, exploited a known SAP NetWeaver vulnerability to infiltrate JLR’s internal networks.

The cyberattack’s impact was devastating:

39,000 employees affected across global facilities
Estimated losses of £50-72 million per week
2,000 temporary layoffs among suppliers
Production halt extending beyond three weeks

Security experts identified this as a sophisticated operation involving lateral movement through manufacturing and operational technology systems, with attackers deploying custom ransomware variants tailored to industrial environments.

European Airport Infrastructure Compromised

A cyberattack targeting Collins Aerospace disrupted operations at major European airports throughout the weekend of September 20-21, 2025. The attack affected Collins’ MUSE software, which provides check-in and boarding systems for airlines at airports including:

Heathrow Airport (London)
Brussels Airport
Berlin Brandenburg Airport

Brussels Airport was particularly hard hit, cancelling half of Monday’s scheduled departing flights due to the inability to deliver a secure version of the check-in system. The incident forced airports to resort to manual check-in processes, causing significant delays and passenger inconvenience.

Panama Government Data Breach

The INC Ransom group successfully compromised Panama’s Ministry of Economy and Finance, stealing 1.5 terabytes of sensitive government data. The attack utilized spear phishing and living-off-the-land techniques, employing PowerShell scripts and encrypted cloud channels for data exfiltration.

Critical information compromised included:

Fiscal policy documents
Panama Canal revenue data
Regulatory and sovereignty-sensitive information

FinWise Bank Insider Threat

A significant insider threat incident emerged when FinWise Bank disclosed that a former employee accessed sensitive files containing information from 689,000 customers of American First Finance after their departure. This incident highlighted persistent vulnerabilities in post-employment access controls and insider threat management.

Critical Vulnerabilities and Zero-Day Exploits

Microsoft September 2025 Patch Tuesday

Microsoft’s September 2025 security update addressed 84 vulnerabilities, including two publicly disclosed zero-day vulnerabilities and eight critical-severity flaws. The most significant vulnerabilities included:

CVE-2025-54918 – Windows NTLM Elevation of Privilege

CVSS Score: 8.8
Allows authenticated attackers to elevate privileges over a network
Marked as “Exploitation More Likely” by Microsoft

CVE-2025-55234 – Windows SMB Elevation of Privilege

CVSS Score: 8.8
Enables replay attacks against target hosts
Requires network access for exploitation

CVE-2025-54916 – Windows NTFS Remote Code Execution

CVSS Score: 7.8
Stack-based buffer overflow vulnerability in NTFS
Flagged as “Exploitation More Likely”

Google Chrome Zero-Day Exploitation

Google patched its sixth actively exploited Chrome zero-day of 2025 with the release of emergency security updates. CVE-2025-10585, a type confusion vulnerability in Chrome’s V8 JavaScript engine, was discovered by Google’s Threat Analysis Group and showed evidence of active exploitation.

The vulnerability affects Chrome versions prior to:

140.0.7339.185/.186 (Windows/macOS)
140.0.7339.185 (Linux)

Android Security Updates

Google’s September 2025 Android security bulletin revealed two actively exploited zero-day vulnerabilities:

CVE-2025-38352 – Linux kernel race condition enabling local privilege escalation
CVE-2025-48543 – Android Runtime use-after-free vulnerability allowing Chrome sandbox escape

Both vulnerabilities were under limited, targeted exploitation and required no user interaction for successful compromise.

Ransomware Landscape Updates

Scattered Spider Operations Continue

Despite previous claims of retirement and recent member arrests, Scattered Spider continued active operations throughout September 2025. Security researchers confirmed the group’s involvement in recent financial sector attacks, casting doubt on their cessation announcements.

New intelligence revealed Scattered Spider’s evolution in 2025, including:

Targeting services like Klaviyo, HubSpot, and Pure Storage
Brand impersonation campaigns against major corporations
Acquisition of the domain twitter-okta[.]com previously owned by Twitter/X

Ransomware Attack Statistics

Research from NCC Group revealed ransomware attacks remained below 500 for the fifth consecutive month, with 328 attacks recorded in August 2025. However, the data showed concerning trends:

37% of attacks targeted industrial sectors
81% of attacks occurred in North America and Europe
Qilin ransomware group responsible for 16% of all attacks

Infrastructure Attacks and Supply Chain Compromises

Supply Chain Vulnerabilities

The week highlighted critical supply chain risks with the Salesloft Drift breach originating from a compromised company GitHub account. Investigators traced the attack to threat actors accessing Drift’s AWS environment and obtaining customer OAuth tokens for Salesforce instances.

A separate supply chain attack compromised 18 popular npm software packages with cryptocurrency-stealing malware, affecting an estimated 2.6 million downloads before removal.

Critical Infrastructure Targeting

Railways emerged as a prime target for cyberattacks, with multiple incidents affecting transportation systems globally. The trend reflects threat actors’ increasing focus on critical infrastructure that supports economic and social functions.

Government and Policy Developments

International Cybersecurity Cooperation

Nearly 80% of cybersecurity leaders expressed concern about potential nation-state cyberattacks within the next 12 months, according to new research from VikingCloud. The study revealed:

76% believe cuts to U.S. federal cybersecurity programs could increase risk exposure
71% reported increased cyberattack frequency over the past year
58% suspect attackers used AI in recent incidents

Regulatory Updates

Germany approved new rules for critical infrastructure operators under its KRITIS law, implementing EU directives for enhanced cybersecurity measures. The regulations mandate stronger security practices and incident reporting requirements for critical infrastructure providers.

Looking Ahead: Key Takeaways

The cybersecurity threats September 2025 presented several critical lessons for organizations:

Infrastructure Vulnerability: The JLR and Collins Aerospace incidents demonstrate that manufacturing and transportation systems remain attractive targets with significant operational impact potential.

Insider Threats Persist: The FinWise Bank incident reinforces the importance of robust post-employment access controls and continuous monitoring of privileged users.

Zero-Day Exploitation Accelerating: With multiple zero-day vulnerabilities exploited across major platforms, organizations must prioritize rapid patch deployment and defense-in-depth strategies.

Supply Chain Risks Growing: The Salesloft Drift and npm package compromises highlight the expanding attack surface through third-party dependencies and services.

Organizations should focus on:

Implementing comprehensive identity and access management
Developing robust incident response capabilities
Enhancing supply chain security assessments
Maintaining current patch management programs
Investing in threat detection and response technologies

FAQ’s

What was the most significant cybersecurity incident during September 15-21, 2025?

The Jaguar Land Rover cyberattack stands out as the most significant incident, causing a global production shutdown affecting 39,000 employees with estimated weekly losses of £50-72 million. The attack exploited SAP NetWeaver vulnerabilities and extended beyond three weeks.

How many zero-day vulnerabilities were disclosed this week?

Multiple zero-day vulnerabilities were disclosed, including Google Chrome CVE-2025-10585 (the sixth Chrome zero-day of 2025), and two Android vulnerabilities (CVE-2025-38352 and CVE-2025-48543) that were actively exploited.

Is Scattered Spider still active despite previous retirement claims?

Yes, security researchers confirmed that Scattered Spider continues active operations in 2025 despite previous claims of retirement and recent member arrests. The group has evolved its tactics and continues targeting financial services and other sectors.

What airports were affected by the Collins Aerospace cyberattack?

Major European airports affected include Heathrow (London), Brussels Airport, Berlin Brandenburg Airport, and several others. Brussels Airport was most severely impacted, cancelling half of Monday’s scheduled departing flights.

How many vulnerabilities did Microsoft patch in September 2025?

Microsoft addressed 84 vulnerabilities in its September 2025 Patch Tuesday release, including 8 critical-severity vulnerabilities and 2 publicly disclosed zero-day vulnerabilities.

What should organizations prioritize based on this week’s cyber incidents?

Organizations should focus on rapid patch deployment, enhanced identity and access management, supply chain security assessments, insider threat controls, and robust incident response capabilities to address the evolving threat landscape.

Are ransomware attacks increasing or decreasing in 2025?

Ransomware attacks have remained below 500 per month for five consecutive months through August 2025, with 328 attacks recorded. However, attacks are becoming more sophisticated and causing greater business disruption through third-wave extortion tactics.

What sectors are being targeted most by cybercriminals?

Industrial sectors received 37% of ransomware attacks, while manufacturing, aviation, financial services, and critical infrastructure continue to be prime targets for various threat actors including nation-state groups and cybercriminal organizations.

How can organizations protect against supply chain attacks?

Organizations should implement comprehensive vendor security assessments, monitor third-party access privileges, deploy software bill of materials (SBOM) tracking, and establish incident response procedures specifically for supply chain compromises.

What is the current state of nation-state cyber threats?

Nearly 80% of cybersecurity leaders fear potential nation-state cyberattacks within the next 12 months, with increasing sophistication in targeting critical infrastructure and leveraging AI-powered attack techniques for enhanced effectiveness.