On July 23, 2025, at the end of the day, the public operator’s networks POST Luxembourg collapse. The country suddenly finds itself cut off from the world: no more landline telephony, no more 4G or 5G.
The origin of evil? A specifically designed network traffic to hit where it hurts. Corrupted data, simply passing through the infrastructure, was enough to stop the machine.
Instead of being relayed, this data enabled undocumented behavior in Huawei routers, causing a continuous reboot loop and paralysis of critical systems. A true digital short circuit on a nation-wide scale. To date, no public alerts or CVE identifiers have been issued.
What really caused this national blackout?
The outage was triggered by a denial of service attack (DDoS) of a very particular kind. Forget classic volumetric DDoS attacks that flood a target with requests.
Here, the method was much more surgical. The attackers exploited a packet processing failure (the way data is read and routed) within Huawei’s VRP operating system.
In essence, a simple packet of data, seemingly innocuous but malformed in a very precise way, acted like a poison, causing a fatal and repetitive failure of the router.
Investigators ultimately concluded that it was probably not a targeted attack against POST Luxembourg. The malicious traffic would have simply passed through its systems, which, due to the flaw, collapsed instead of routing it.
This is the scenario of “ the wrong person in the wrong place “, but for a critical national infrastructure. The telecom equipment manufacturer Huawei confirmed to the operator that it had never seen such an attack before and had no immediate solution, leaving engineers scrambling to restore service.
Why is this attack called “zero-day”?
The Luxembourg incident is the very definition of an attack exploiting a zero-day vulnerability. This term refers to a security vulnerability that is discovered and exploited by attackers even before the software or hardware manufacturer (here, Huawei) becomes aware of it.
Therefore, no patch was available at the time of the attack. Paul Rausch, communications director of POST Luxembourg, confirmed that the attack exploited “ non-public, undocumented behavior for which no patch was available ».
This is what makes it so sophisticated: it does not rely on any known or documented weaknesses. For the security teamsthis is the worst scenario, because traditional defense systems, designed to block identified threats, are struggling in the face of this type of unprecedented offensive.
Has Huawei failed in its transparency obligations?
This is where the matter takes an alarming turn. Ten months after the incident, no CVE identifier (Common Vulnerabilities and Exposures), the global standard for listing security vulnerabilities, has not been published.
Ce deafening silence from Huawei is a major anomaly. The standard procedure is that the manufacturer, once the flaw has been identified, declares it publicly so that all users of its products can protect themselves.
By choosing not to do so, Huawei is potentially leaving thousands more telecom operators across the world in ignorance of a major risk. The Luxembourg authorities have shared technical information with their European partners, but without CVE, the information remains confined to restricted circles.
Responsibility for public disclosure rests with the impacted manufacturer. This lack of transparency raises a fundamental question about the cybersecurity and the trust that can be placed in network equipment manufacturers.
Without this information, we are navigating in a fog maintained by the technology giant, without knowing whether the patch has been fully deployed, nor how many systems remain vulnerable today.
