The Hidden Backdoor to 200 Airports: A Supply Chain Failure in Aviation

SVigil (CloudSEK) discovered credentials for a 4th‑party maintenance engineer posted on underground forums that granted access to a primary vendor's Next Generation Operations Support System (NGOSS) portal servicing about 200 airports; the portal lacked MFA and exposed live infrastructure inventories, device status, performance metrics, and internal diagnostic tools, creating realistic opportunities for targeted kiosk/terminal DoS, baggage reconciliation outages, or coordinated multi-hub disruptions. Immediate mitigations included credential revocation and emergency MFA rollout, and the report urges vendor zero-trust, just-in-time access, credential audits, and supply-chain risk assessments.