An attack exploiting a previously unknown vulnerability in Huawei enterprise router software caused a nationwide telecoms outage in Luxembourg last year, according to multiple sources briefed on the matter, disrupting mobile, landline and emergency communications for more than three hours.

The vulnerability has never been publicly disclosed. No CVE identifier — used by cybersecurity professionals worldwide to track software flaws and protect their systems — has been filed in any public database in the ten months since the incident, and no public warning has been issued to other operators running the same equipment.

Paul Rausch, the head of communications at POST Luxembourg, the state-owned operator whose network failed, said the incident was a denial-of-service (DoS) attack targeting a network device. He confirmed it exploited “a non-public, non-documented behaviour, for which no patch was available at the time” and was “not related to the exploitation of any known or previously documented vulnerabilities.”

Rausch said Huawei told POST it had never encountered the attack among any of its customers and had no ready-made solution.

Multiple sources briefed on the matter, who spoke on condition of anonymity to discuss confidential briefings, described the incident as a zero-day attack. There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company.

Huawei received detailed questions from Recorded Future News ahead of publication but did not provide any statements in response.

The outage

The incident began toward the end of the working day on July 23, 2025. POST’s landline, 4G and 5G mobile networks went down, leaving potentially hundreds of thousands of residents unable to contact emergency services.

It was caused by specially crafted network traffic that sent Huawei enterprise routers into a continuous restart loop, crashing critical parts of POST’s infrastructure. When connectivity was restored more than three hours later, the country’s emergency call center received hundreds of additional calls.

At the time, Luxembourg’s government described the incident as “an exceptionally advanced and sophisticated cyberattack.” POST said that description referred to the expertise required to exploit the vulnerability. 

The government also initially described the incident as a DDoS attack, and POST later clarified that it was not the type of volumetric DDoS attack often used by hacktivists and cybercriminals.

The country’s public prosecutor said an investigation by police and cybersecurity experts identified that “corrupted data, which may be used to prepare an attack on a random server responding to it, had been relayed through POST Luxembourg acting in its role as internet service provider and caused their systems to stop and reboot instead of simply relaying the data.”

But investigators ultimately concluded there was “no evidence that an attack was specifically directed at POST Luxembourg as a chosen target,” a spokesperson for Luxembourg’s High Commission for National Protection told Recorded Future News. No criminal charges have been filed.

The findings suggest the outage may have been triggered by maliciously crafted network traffic simply passing through POST’s infrastructure. Instead of forwarding the data onward, Huawei routers appear to have hit an undocumented failure condition that caused them to repeatedly stop and reboot.

Huawei’s VRP network operating system has previously been affected by denial-of-service vulnerabilities involving specially crafted protocol traffic, including CVE-2021-22359 and CVE-2022-29798. Similar flaws have also affected other major networking platforms, where malformed network traffic could trigger crashes, reloads or remote compromise in systems processing otherwise routine communications.

POST said neither previously disclosed Huawei vulnerability was involved in the Luxembourg incident.

The disclosure gap

While Huawei routinely files CVEs for consumer products, public disclosures involving vulnerabilities in its enterprise networking software have become rare in recent years, with many of the publicly documented cases instead originating from independent security researchers.

The company still publishes enterprise security advisories, but through a restricted customer portal rather than broad public advisories. One such advisory — that also did not include a CVE identifier — was published last month describing a denial-of-service flaw involving packet parsing. There is no evidence that the advisory was related to the Luxembourg incident.

After the attack, Luxembourg authorities and Huawei held a series of technical meetings to understand what had happened, according to Anne Jung, spokesperson for the High Commission for National Protection.

Luxembourg’s cybersecurity authorities also alerted partner incident response teams across Europe through established government channels. But no CVE was ever filed alerting the community at large.

Asked who was responsible for issuing a CVE, Jung said that decision rests with the vendor under standard disclosure procedures. POST separately told Recorded Future News it contributed technical information but did not control disclosure decisions.

Huawei did not respond to questions about why no public CVE had been issued for the vulnerability that caused Luxembourg’s nationwide telecoms outage. Ten months later, it remains unclear whether the vulnerability was ever fully patched, how many operators may have been exposed or whether similar Huawei systems remain vulnerable today.