Huawei Zero-Day Attack Disrupts Luxembourg’s Telecoms Network for Over Three Hours
An unprecedented cyberattack exploiting an undisclosed vulnerability in Huawei’s enterprise router software led to a nationwide telecommunications outage in Luxembourg last year. This incident, which lasted over three hours, disrupted mobile, landline, and emergency communications, affecting potentially hundreds of thousands of residents.
The vulnerability that enabled this attack has not been publicly disclosed. In the ten months since the incident, no Common Vulnerabilities and Exposures (CVE) identifier has been registered in any public database, nor has any warning been issued to other operators utilizing the same equipment.
Paul Rausch, head of communications at POST Luxembourg, the state-owned telecommunications operator, confirmed that the incident was a denial-of-service (DoS) attack targeting a network device. He stated that the attack exploited “a non-public, non-documented behavior, for which no patch was available at the time” and clarified that it was “not related to the exploitation of any known or previously documented vulnerabilities.” Huawei informed POST that it had not encountered this type of attack among its customers and did not have an immediate solution.
Sources familiar with the matter, who requested anonymity due to the sensitive nature of the information, characterized the incident as a zero-day attack. While there is no evidence that the attack has recurred, the underlying flaw remains unexplained and has not been publicly acknowledged by Huawei.
The Outage
The incident unfolded on July 23, 2025, toward the end of the working day. POST’s landline and 4G and 5G mobile networks went offline, leaving many residents unable to reach emergency services. The outage was triggered by specially crafted network traffic that caused Huawei enterprise routers to enter a continuous restart loop, effectively crashing critical components of POST’s infrastructure. When connectivity was finally restored, the country’s emergency call center was inundated with hundreds of additional calls.
At the time, the Luxembourg government described the incident as “an exceptionally advanced and sophisticated cyberattack.” POST clarified that this description referred to the expertise required to exploit the vulnerability. Initially, the government classified the incident as a distributed denial-of-service (DDoS) attack; however, POST later specified that it was not a volumetric DDoS attack typically associated with hacktivists and cybercriminals.
An investigation by police and cybersecurity experts revealed that “corrupted data, which may be used to prepare an attack on a random server responding to it, had been relayed through POST Luxembourg,” causing their systems to stop and reboot instead of merely forwarding the data. However, investigators concluded that there was “no evidence that an attack was specifically directed at POST Luxembourg as a chosen target,” according to a spokesperson for Luxembourg’s High Commission for National Protection. No criminal charges have been filed in connection with the incident.
The findings suggest that the outage may have been triggered by maliciously crafted network traffic passing through POST’s infrastructure. Instead of forwarding the data, Huawei routers appear to have encountered an undocumented failure condition, leading to repeated stops and reboots.
Huawei’s VRP network operating system has previously been affected by denial-of-service vulnerabilities involving specially crafted protocol traffic, including CVE-2021-22359 and CVE-2022-29798. Similar vulnerabilities have also impacted other major networking platforms, where malformed network traffic could lead to crashes, reloads, or remote compromises in systems handling routine communications. POST confirmed that neither of the previously disclosed Huawei vulnerabilities was involved in the Luxembourg incident.
The Disclosure Gap
While Huawei regularly files CVEs for its consumer products, public disclosures regarding vulnerabilities in its enterprise networking software have become increasingly rare. Many documented cases have originated from independent security researchers rather than the company itself.
Huawei continues to publish enterprise security advisories, but these are accessible only through a restricted customer portal, rather than being broadly disseminated to the public. One recent advisory, which did not include a CVE identifier, described a denial-of-service flaw related to packet parsing; however, there is no evidence linking it to the Luxembourg incident.
Following the attack, Luxembourg authorities and Huawei engaged in a series of technical meetings to analyze the situation, as noted by Anne Jung, spokesperson for the High Commission for National Protection. Luxembourg’s cybersecurity authorities also informed partner incident response teams across Europe through established government channels. Despite these efforts, no CVE was filed to alert the broader community.
When asked about the responsibility for issuing a CVE, Jung indicated that the decision lies with the vendor under standard disclosure procedures. POST separately stated that while it contributed technical information, it did not control disclosure decisions.
Huawei did not respond to inquiries regarding why no public CVE had been issued for the vulnerability that caused the nationwide telecom outage in Luxembourg. As of ten months later, it remains uncertain whether the vulnerability has been fully patched, how many operators may have been affected, or if similar Huawei systems continue to be at risk.
For further insights into the implications of this incident and ongoing developments in cybersecurity, refer to the source: therecord.media.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
