An Undocumented Huawei Zero Day Knocked Out Every Phone in Luxembourg for Three Hours Last July—And Ten Months Later There Is Still No CVE, No Patch, and No Statement From the Vendor

What Happened

On May 19, 2026, The Record from Recorded Future News published the result of a ten month investigation into one of the strangest telecom outages of 2025. Late in the working day on July 23, 2025, the entire telecommunications network operated by POST Luxembourg—the country's incumbent telecom—collapsed. Landlines stopped working. 4G and 5G mobile networks went silent. Emergency services lost their primary communications path for more than three hours.

When the network came back up, the emergency call center logged hundreds of calls from residents who had spent the outage unable to reach 112, the European emergency number. POST Luxembourg's engineers worked with Huawei to determine what had happened. The answer, according to The Record, is that specially crafted network traffic flowing through the network triggered a previously undocumented flaw in Huawei's VRP enterprise router operating system. Affected routers entered a continuous restart loop. They stayed in that loop until the traffic stopped passing through them.

The Most Unusual Detail: No CVE Was Filed

Coordinated vulnerability disclosure—the process by which a vendor and a researcher publish a CVE identifier, a patch, and an advisory—is standard practice across the global networking industry. When Cisco, Juniper, Arista, Nokia, or Ericsson products have a flaw of comparable severity, the disclosure cycle takes weeks to months. The CVE is searchable. Operators of affected gear get an advisory. Defenders update their threat models.

None of this happened for the Huawei VRP flaw. Ten months after the outage, no CVE identifier has been assigned. Huawei has issued no public advisory. The vendor's response to The Record's questions was silence. Other carriers running the same VRP software—and there are many of them across Europe, Africa, the Middle East, and Asia—have no way to know whether they have patched the issue, because there is nothing to patch against.

This is the second time in recent reporting that Huawei has handled a critical disclosure outside the normal channels. The pattern raises a hard question for European regulators: how do you regulate a critical infrastructure vendor whose vulnerability disclosure practices do not match the rest of the industry?

Was It an Attack? Maybe Not. Maybe That Is Worse.

Investigators were careful in their public statements. Per The Record, the technical meetings between Luxembourg authorities and Huawei concluded that "there was no evidence that an attack was specifically directed at POST Luxembourg as a chosen target." The malformed packets may simply have transited the network from another origin—Luxembourg is a critical European internet exchange point and a significant share of global traffic passes through it.

If accurate, that conclusion is alarming in a different way. It means a single piece of malformed network traffic—originating anywhere in the world, possibly entirely accidentally—was sufficient to take down an entire country's telecom backbone. A targeted attacker with knowledge of the vulnerability could disable the network whenever they chose, with zero attribution. A bored teenager experimenting with traffic generation tools could do the same thing without meaning to.

The CISA-style vulnerability tracking that exists for Cisco gear precisely so that defenders can prepare for these scenarios does not exist for Huawei VRP. The lights went out for three hours. Nobody knows how often that single packet sequence is sent across the global internet.

The Geopolitical Subtext

European policy on Huawei equipment in critical telecom infrastructure has been contested for half a decade. The United Kingdom and Germany have moved to remove Huawei from 5G core networks. France has applied selective restrictions. The Netherlands restricts but tolerates. Luxembourg, until July 2025, had been on the more permissive side. The outage gave the country's regulators an empirical data point to weigh against vendor cost.

In the same week as the Luxembourg disclosure, Human Rights Watch published research on EU surveillance equipment exports, showing how poorly European member states track critical-infrastructure dependencies on third-country vendors. The Luxembourg incident lands in the middle of that debate.

For journalists, activists, and researchers working in or with countries whose telecom backbones rely on Huawei VRP, the operational implication is direct: assume that the network underneath you can be taken down by anyone who knows how, with no advance warning, and that no one will tell you why it happened afterward.

What POST Luxembourg's Customers Lost

POST Luxembourg is the country's largest fixed and mobile carrier. Its network carries traffic for hundreds of thousands of residents, hosts banking and government services, and provides the primary 112 emergency routing in the country. For three hours on July 23, 2025:

• Landline calls within and out of Luxembourg did not connect
• 4G and 5G mobile services were unavailable across the country
• 112 emergency services routing failed; callers got no dial tone
• Bank ATM and point-of-sale terminals reliant on cellular fallback failed
• Several government online services that depend on telecom routing became inaccessible

When service was restored, the emergency call center logged hundreds of stacked calls from residents trying to reach help during the outage. No deaths have been publicly tied to the outage, but the data set—how many people needed urgent help and could not get it—is exactly the kind of evidence regulators use when deciding whether to require redundant communication paths for critical services.

The Pattern: Critical Infrastructure Without Vulnerability Discipline

The Luxembourg incident is not isolated. Reporting across 2025 and 2026 has shown:

• Multiple unattributed outages on telecom networks running non-Western equipment, with no CVE follow-up
• NIST's NVD stopped enriching most new vulnerabilities with severity scores, leaving operators with raw data and no triage support
• Mass exploitation of CVE-2026-20182 in Cisco SD-WAN despite a published advisory and patch availability
• Critical infrastructure regulators in the EU, US, and UK now operating with materially different vulnerability disclosure tempos than their respective vendors

The Huawei case sits at the extreme end of this spectrum, where the vendor has no public disclosure tempo at all. For operators of VRP-based networks, the only defense is to deploy traffic-level mitigation at the edge—deep packet inspection that drops malformed traffic patterns before it reaches the router CPU. That is operationally expensive, and most carriers do not run it.

What This Means for Email and Communication Security

A three-hour outage of an entire country's telecom backbone means more than missed calls. SMS-based two-factor authentication does not work. Email push notifications do not reach mobile devices. Bank authentication apps that require a network round trip cannot complete. The cascade effect across digital life is severe even for a short window.

For high-risk users—journalists protecting sources, activists in adversarial environments, executives traveling—the operational lesson is the one Snowden articulated years ago: depend on multiple independent communication paths. End to end encrypted messaging that can switch between carriers and Wi-Fi. Email accounts on multiple providers. Physical backup contacts that do not require the local telecom backbone to work.

A vulnerability with no CVE, no patch, and no public advisory is, definitionally, a vulnerability nobody can defend against. The Luxembourg incident is what happens when that vulnerability lives inside a country's most critical communication infrastructure.