While Post CEO Claude Strasser neither confirmed nor provided any new information on 12 May, during the group’s annual results presentation, about the cyberattack that paralysed the country in the middle of last summer, the High Commissioner for National Protection has now done so. According to our colleagues at The Record, a “zero-day” vulnerability--one that was not publicly known at the time--in Huawei routers reportedly caused the national network to collapse on 23 July 2025. According to several anonymously cited sources, specially crafted network packets allegedly triggered a continuous reboot loop in Huawei routers used by Post Luxembourg.

Above all, the article reveals a major new development: Luxembourg investigators are reported to have concluded that ‘there is no evidence that an attack was specifically directed at Post Luxembourg as a chosen target’. In other words, the malicious traffic is said to have simply passed through Luxembourg’s infrastructure. The Huawei routers are said to have reacted unexpectedly to this traffic, rather than simply relaying it to its original destination.

This interpretation is partly in line with several findings revealed as early as 30 July 2025 in our investigation published a few days after the incident. We reported at the time that “Huawei Enterprise routers” were directly affected and that the ILR had asked organisations using this equipment to contact their CSIRT (computer security incident response team). Two sources also claimed that the hackers had targeted “Huawei routers and their operating software”.

Even at the time, there was no evidence to suggest that Huawei was involved in the attack itself. The article even explicitly stated that “there is no evidence to suggest that it was behind the attack” and pointed out that the Chinese company had “no interest whatsoever in having its software and hardware compromised by hackers”.

No obligation to move away from Huawei

Chief Executive Claude Strasser himself acknowledged, without directly naming Huawei, that the operator was essentially applying the European regulatory framework regarding suppliers deemed sensitive. He pointed out that Post had already adapted certain critical components during the roll-out of 5G, in an implicit reference to the European ‘5G Toolbox’ targeting high-risk suppliers. However, he also emphasised the difficulty of completely excluding Chinese components from modern telecoms infrastructure.

“These days, we need to draw a clear distinction between what is considered critical and what is not,” said Claude Strasser. The CEO of Post also explained that the company did not, at this stage, intend to “exclude an individual supplier ourselves” in the absence of an explicit regulatory requirement.

However, the article in The Record raises another sensitive issue: that of transparency surrounding the exploited vulnerability. No CVE identifier--the publicly available references used worldwide to document vulnerabilities – is reported to have been published nearly ten months after the incident. Huawei is also said not to have made any public statement regarding this specific vulnerability. Post Luxembourg, for its part, claims to have provided technical information but to have no control over the public disclosure of the vulnerability.

Looking beyond the specific case of Luxembourg, the incident highlights, above all, the growing difficulty European operators face in managing their technological dependence within a tense geopolitical context. For even when the initial target appears to lie elsewhere, a single software vulnerability in strategic equipment can be enough to bring an entire country to its knees.