A zero-day attack exploiting a previously unknown vulnerability in Huawei enterprise router software caused a nationwide telecoms outage in Luxembourg last year, disrupting mobile, landline, and emergency communications for over three hours.
The Incident
The incident began on July 23, 2025, when POST Luxembourg's landline, 4G, and 5G mobile networks went down, leaving hundreds of thousands of residents unable to contact emergency services. The outage was caused by specially crafted network traffic that sent Huawei enterprise routers into a continuous restart loop, crashing critical parts of POST's infrastructure.
When connectivity was restored more than three hours later, the country's emergency call center received hundreds of additional calls. At the time, Luxembourg's government described the incident as an "exceptionally advanced and sophisticated cyberattack."
Investigation and Findings
Investigations by police and cybersecurity experts identified that "corrupted data, which may be used to prepare an attack on a random server responding to it, had been relayed through POST Luxembourg acting in its role as internet service provider and caused their systems to stop and reboot instead of simply relaying the data." However, investigators ultimately concluded that there was "no evidence that an attack was specifically directed at POST Luxembourg as a chosen target."
No criminal charges have been filed, and the findings suggest that the outage may have been triggered by maliciously crafted network traffic simply passing through POST's infrastructure. Instead of forwarding the data onward, Huawei routers appear to have hit an undocumented failure condition that caused them to repeatedly stop and reboot.
Vulnerability and Disclosure
The vulnerability has never been publicly disclosed, and no CVE identifier has been filed in any public database in the ten months since the incident. Huawei routinely files CVEs for consumer products, but public disclosures involving vulnerabilities in its enterprise networking software have become rare in recent years.
Paul Rausch, the head of communications at POST Luxembourg, said the incident was a denial-of-service (DoS) attack targeting a network device, which exploited "a non-public, non-documented behaviour, for which no patch was available at the time." Rausch confirmed that the attack was "not related to the exploitation of any known or previously documented vulnerabilities."
Similar Vulnerabilities
Huawei's VRP network operating system has previously been affected by denial-of-service vulnerabilities involving specially crafted protocol traffic, including CVE-2021-22359 and CVE-2022-29798. Similar flaws have also affected other major networking platforms, where malformed network traffic could trigger crashes, reloads, or remote compromise in systems processing otherwise routine communications.
POST said neither previously disclosed Huawei vulnerability was involved in the Luxembourg incident. The company still publishes enterprise security advisories, but through a restricted customer portal rather than broad public advisories.
Conclusion
Ten months after the incident, it remains unclear whether the vulnerability was ever fully patched, how many operators may have been exposed, or whether similar Huawei systems remain vulnerable today. The lack of public disclosure and the restricted access to security advisories have raised concerns about the transparency and accountability of Huawei's vulnerability management process.
There is no evidence that the advisory was related to the Luxembourg incident.
Huawei did not respond to questions about why no public CVE had been issued for the vulnerability that caused Luxembourg's nationwide telecoms outage. The incident highlights the importance of transparency and accountability in vulnerability management and the need for timely and public disclosure of security vulnerabilities.
- Huawei zero-day attack caused a nationwide telecoms outage in Luxembourg last year.
- The vulnerability has never been publicly disclosed, and no CVE identifier has been filed.
- The incident was a denial-of-service (DoS) attack targeting a network device.
- Huawei's VRP network operating system has previously been affected by similar vulnerabilities.
- The lack of public disclosure and restricted access to security advisories have raised concerns about Huawei's vulnerability management process.
Source: The Record