September 2025 Cybersecurity Round-Up
The cyber threat landscape evolves fast. September 2025 has been a particularly busy month, with plenty of notable attacks worth discussing and new vulnerabilities exploited. From cyber attacks on European airports to actively exploited vulnerabilities in Cisco products, a lot happened in the world of cybersecurity this month. Here’s a round-up of the main news and takeaways.
Notable Cyber Attacks September 2025
There were several notable cyber attacks in September 2025, causing quite a bit of damage to important operations, finances, travel plans, and personal privacy.
Jaguar Land Rover
September began with big news from the automotive world. Jaguar Land Rover detected an intruder in its network and proactively shut down large swathes of its IT estate to contain it. Over the following days, the attack forced the suspension of production across multiple plants, including UK factories (Halewood, Solihull) and sites overseas (Slovakia, India, Brazil).
The disruption lasted weeks, leaving staff sent home and design/engineering software offline. Suppliers faced a crisis as they couldn’t fulfill orders. Things became so bad that the UK government eventually guaranteed a loan of £1.5 billion so that the company could continue to support its suppliers.
Exact details of how the incident unfolded aren’t clear, but the group Scattered Spider has claimed responsibility. The same group was also responsible for the major UK retail cyber breach earlier this year. The way the government was forced into underwriting loans highlights how deeply a successful attack can cascade financially across an entire industry ecosystem.
Stellantis
Stellantis, the world’s fifth-largest carmaker, also made headlines for a cybersecurity lapse that saw hackers extract 18 million customer service records. Stellantis maintains that no financial data or highly sensitive information (e.g. payment card data) was exposed. The stolen data was apparently limited to basic contact info.
The root cause appears to be via a third-party SaaS integration that used Salesforce APIs. This is part of ongoing hacking campaigns targeting Salesforce (and related third-party systems). This is part of a broader pattern of attackers increasingly targeting external, weakly monitored SaaS dependencies. The perimeter is now wherever your vendors live.
While Stellantis claims limited exposure, the narrative matters. Even “name + email + contact info” leaks can fuel phishing, spear-phishing, and identity attacks downstream.
European Airports
Continuing the theme of threat actors targeting the transport sector, a high-profile cyber attack disrupted operations at several European airports in September 2025. Airports, including Berlin Brandenburg, Brussels, London Heathrow, and Dublin, experienced widespread disruption. In Berlin, 73% of about 200 flights were delayed.
ENISA confirmed the root cause of this aviation cyber incident was a ransomware attack on Collins Aerospace, which supplies automatic check-in systems to European airports. Airports are high-impact, high-leverage targets where downtime yields immediate financial and reputational damage.
Relying so heavily on a single systems provider worsened this incident. But the barrier to entry for alternatives is enormous. Aviation software requires years of certification, integration testing, and regulator approval, so the market consolidates around a few providers. This creates functional monopolies, where one ransomware attack can cascade across dozens of airports.
Lotte Card
Lotte Card in South Korea disclosed that ~2.97 million customers had data compromised in a September 2925 cyber incident. This amounts to roughly 30% of the company’s user base. Up to 280,000 of the affected customers had highly sensitive info stolen (card numbers, CVCs) that could potentially be used for things like debit/credit card fraud.
Full technical details aren’t yet known, but the incident started with threat actors hacking the company’s online payment servers. The leaked dataset turned out to be 100x larger than Lotte Card originally reported to South Korean regulators. This raises questions over the company’s ability to audit its infrastructure and investigate the scope of cybersecurity incidents.
Another interesting finding reported in the South Korean media was that Lotte Card recorded the lowest ratio of information security spending to total annual budget this year at 0.3 percent. When companies underinvest in cybersecurity, severe incidents are far likelier.
High-Profile CVEs September 2025
While cyber attacks are always worth following for lessons learned, it’s also good to keep an eye on prominent CVEs disclosed each month. It’s especially important to apply patches if your business is affected by any of these same vulnerabilities.
Wrap-Up
September was a hectic month, with attackers striking across critical industries, and zero-days surfacing in core IT infrastructure products that companies use all the time. Keeping up with CVEs and keeping tabs on incidents won’t tell you whether your own environment is exploitable. The only way to know is to test it, and that’s where penetration testing comes in. At DIESEC, we go beyond patch lists to uncover how attackers could actually move through your systems, giving you clarity on where you’re truly exposed.
