Huawei Zero-Day Attack Caused Luxembourg's Nationwide Telecom Outage Last Year
A zero-day vulnerability in Huawei enterprise routers caused a three-hour nationwide telecom outage in Luxembourg in July 2025, yet the flaw remains unpatched and undisclosed.
An attack exploiting a previously unknown vulnerability in Huawei enterprise router software caused a nationwide telecoms outage in Luxembourg last year, according to multiple sources briefed on the matter, disrupting mobile, landline and emergency communications for more than three hours. The vulnerability has never been publicly disclosed. No CVE identifier has been filed in any public database in the ten months since the incident, and no public warning has been issued to other operators running the same equipment.
Paul Rausch, the head of communications at POST Luxembourg, the state-owned operator whose network failed, said the incident was a denial-of-service (DoS) attack targeting a network device. He confirmed it exploited "a non-public, non-documented behaviour, for which no patch was available at the time" and was "not related to the exploitation of any known or previously documented vulnerabilities." Rausch said Huawei told POST it had never encountered the attack among any of its customers and had no ready-made solution.
The incident began toward the end of the working day on July 23, 2025. POST's landline, 4G and 5G mobile networks went down, leaving potentially hundreds of thousands of residents unable to contact emergency services. It was caused by specially crafted network traffic that sent Huawei enterprise routers into a continuous restart loop, crashing critical parts of POST's infrastructure. When connectivity was restored more than three hours later, the country's emergency call center received hundreds of additional calls.
At the time, Luxembourg's government described the incident as "an exceptionally advanced and sophisticated cyberattack." POST said that description referred to the expertise required to exploit the vulnerability. The government also initially described the incident as a DDoS attack, and POST later clarified that it was not the type of volumetric DDoS attack often used by hacktivists and cybercriminals.
Investigators ultimately concluded there was "no evidence that an attack was specifically directed at POST Luxembourg as a chosen target," a spokesperson for Luxembourg's High Commission for National Protection told Recorded Future News. The findings suggest the outage may have been triggered by maliciously crafted network traffic simply passing through POST's infrastructure. Instead of forwarding the data onward, Huawei routers appear to have hit an undocumented failure condition that caused them to repeatedly stop and reboot.
Huawei's VRP network operating system has previously been affected by denial-of-service vulnerabilities involving specially crafted protocol traffic, including CVE-2021-22359 and CVE-2022-29798. POST said neither previously disclosed Huawei vulnerability was involved in the Luxembourg incident. While Huawei routinely files CVEs for consumer products, public disclosures involving vulnerabilities in its enterprise networking software have become rare in recent years, with many of the publicly documented cases instead originating from independent security researchers.
After the attack, Luxembourg authorities and Huawei held a series of technical meetings to understand what had happened. Luxembourg's cybersecurity authorities also alerted partner incident response teams across Europe through established government channels. But no CVE was ever filed alerting the community at large. Ten months later, it remains unclear whether the vulnerability was ever fully patched, how many operators may have been exposed or whether similar Huawei systems remain vulnerable today.