Alleged Huawei zero-day blamed for the 2025 Luxembourg telecom crash
May 20, 2026 
A Huawei zero-day flaw reportedly caused Luxembourg’s 2025 nationwide outage, disrupting landline, 4G/5G, and emergency services
On July 23, 2025, a nationwide telecom outage in Luxembourg was reportedly triggered by a previously undisclosed flaw in Huawei enterprise routers. The attack disrupted landline, 4G, 5G, and emergency communications for more than three hours after specially crafted traffic forced network devices into continuous reboot loops.
Attackers used specially crafted network traffic to force Huawei enterprise routers into endless reboot loops, crashing key parts of POST Luxembourg’s telecom infrastructure.
“An attack exploiting a previously unknown vulnerability in Huawei enterprise router software caused a nationwide telecoms outage in Luxembourg last year,” reads the report published by The Record Media.
“Paul Rausch, the head of communications at POST Luxembourg, the state-owned operator whose network failed, said the incident was a denial-of-service (DoS) attack targeting a network device. He confirmed it exploited “a non-public, non-documented behaviour, for which no patch was available at the time” and was “not related to the exploitation of any known or previously documented vulnerabilities.””
Luxembourg initially described the outage as an exceptionally advanced cyberattack, later clarifying it was not a typical volumetric DDoS. Investigators found that corrupted network traffic passing through POST Luxembourg’s infrastructure may have triggered the disruption. Rather than being a targeted attack, evidence suggests no specific intent against POST, and no criminal charges were filed. The traffic appears to have exploited an undocumented failure in Huawei routers, causing repeated crashes and reboots instead of normal forwarding. No exploitation in the wild was confirmed.
According to sources familiar with the investigation, Huawei had never seen the attack before and had no immediate fix. No similar attacks were observed afterward.
What makes the case more concerning is the lack of public disclosure. No CVE was issued, no public advisory was released, and nearly a year later, there are still unanswered questions about whether similar systems remain exposed.
“Huawei did not respond to questions about why no public CVE had been issued for the vulnerability that caused Luxembourg’s nationwide telecoms outage.” The Record Media continues. “Ten months later, it remains unclear whether the vulnerability was ever fully patched, how many operators may have been exposed or whether similar Huawei systems remain vulnerable today.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, telecom)
