Telecoms giant Vodafone has disclosed that it discovered hidden backdoors in network equipment supplied by Chinese vendor Huawei that could have allowed unauthorised access. The vulnerabilities were reportedly identified during independent security testing and date back several years. Vodafone says the issues have since been patched, but the company also claims some remained after Huawei initially said they had been fixed.
The most serious finding was a Telnet backdoor discovered in equipment used on Vodafone’s fixed-line network in Italy. Telnet is a diagnostic protocol that, if exposed, can permit access to devices and potentially to broader network segments. Vodafone’s security team warned that, if exploited, the vulnerability could have given Huawei a way to access parts of Vodafone’s Wide Area Network.
In an industry statement, Vodafone explained that it routinely tests third-party equipment to detect vulnerabilities and works with suppliers to resolve any issues quickly. The operator stressed that identifying supplier vulnerabilities is not uncommon, but the central concern in this case was the time it took to resolve the problems and communications about whether the fixes were effective.
According to an internal Vodafone document from April 2011 authored by then-chief information security officer Bryan Littlefair, Huawei initially agreed to remove problematic code, later attempted to obscure it, and ultimately refused to remove a diagnostic Telnet service on the grounds that it was required for configuration and quality testing. Littlefair wrote that the company’s political context made it harder for Huawei to regain trust.
Vodafone has warned that excluding Huawei from future networks would be costly and could delay 5G rollouts because the vendor’s equipment is already widely used in existing network generations. Replacing established gear would require significant time and investment and complicate network migration plans.
Vodafone response to media reporting
Following media coverage, Vodafone issued a statement clarifying that the Italian issues referenced were resolved and dated to 2011 and 2012. The operator noted that the ‘backdoor’ described by reporters was Telnet, a common diagnostic protocol used across the industry, and that it would not have been accessible from the public internet. Vodafone said it had no evidence of any unauthorised access and characterized the situation as a failure to remove a diagnostic function after development. The company reiterated that the issues were found through independent security testing initiated as part of routine security measures and that Huawei fixed the problems at the time.
However, Vodafone’s statement did not directly address the claims in the former CISO’s document that Huawei tried to hide the vulnerability and resisted removing the diagnostic code. That disagreement highlights how security incidents can involve both technical remediation and disputes over the timeline and transparency of supplier actions.
External pressure and the wider debate
The revelations come amid intense international scrutiny of Huawei. Governments and security agencies in several countries have debated whether to allow Huawei equipment in next-generation 5G networks. In the UK, reports of secret discussions about Huawei’s role suggested the vendor might be allowed to supply “non-core” equipment while being excluded from critical network elements. The United States has lobbied allies to restrict or ban Huawei across networks on the grounds of potential influence from Beijing, warning that allowing Huawei into 5G infrastructure could put certain security relationships at risk.
China’s ambassador to the UK urged Britain to resist external pressure and make its own independent decision on Huawei’s role. Meanwhile, the Huawei Cyber Security Evaluation Centre (HCSEC) in the UK, established in 2010, had until recently found only minor concerns. More recent HCSEC reporting indicated growing doubts about whether Huawei could sufficiently mitigate risks in a timely manner. UK intelligence officials have expressed frustration at the pace of Huawei’s responses to security concerns, and subsequent reports noted that the company needed to accelerate its remediation efforts to restore confidence.
The debate over Huawei’s place in Western telecom networks involves technical risk assessments, supplier transparency, supply-chain integrity, and geopolitical considerations. For operators like Vodafone, managing those risks requires careful testing, clear remediation processes with suppliers, and honest communication about vulnerabilities and fixes. For suppliers, timely and transparent responsiveness to security findings is essential to maintain trust and continued business relationships.
Events and industry discussion
Industry forums and expos continue to provide platforms for operators, vendors, regulators, and security experts to discuss network security, supply chain resilience, and 5G deployment strategies. These events bring together stakeholders to share best practices for vulnerability testing, incident response, and supplier oversight—topics that remain central as telecoms networks evolve.