The July 2025 Luxembourg outage, triggered by an undisclosed zero-day in Huawei VRP firmware on enterprise routers, reveals a deeper pattern of underreported nation-state supply chain vulnerabilities in critical infrastructure. Unlike typical DDoS incidents, specially crafted protocol traffic induced a persistent reboot loop, severing landline, 4G/5G, and emergency services for over three hours across the entire state-owned POST network. Official probes found no targeted intent, suggesting the malicious packets traversed Luxembourg as transit traffic, yet the undocumented failure mode exposed a systemic blind spot: Huawei's lack of public CVE disclosure or patches leaves peer operators exposed worldwide. This mirrors prior VRP flaws such as CVE-2021-22359 and CVE-2022-29798 but escalates the stakes by remaining untracked. Cross-referencing with Recorded Future's 2024 supply-chain risk assessments and ENISA's 2023 report on 5G vendor dependencies highlights how Western bans in the UK and Australia anticipated such risks, yet smaller NATO members like Luxembourg retained Huawei core elements. The absence of any public warning ten months later indicates deliberate opacity that could enable cascading failures in allied networks, underscoring the need for mandatory zero-day reporting and vendor diversification mandates.