Shelly Pro 4PM

Plan PatchCVSS 7.4ICS-CERT ICSA-25-322-02Nov 18, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Shelly Pro 4PM firmware versions earlier than 1.6.0 are vulnerable to a denial-of-service attack via uncontrolled resource consumption (CWE-770). An attacker with local network access can craft a request that exhausts device resources, causing the relay to become unresponsive. This vulnerability is not remotely exploitable. Shelly has not publicly acknowledged coordination efforts but confirmed the fix is available in version 1.6.0 and later.

What this means

What could happen

An attacker with local network access to a Shelly Pro 4PM device could trigger a denial-of-service condition that stops the relay from responding to commands, disrupting any process that depends on it.

Who's at risk

Facilities operators using Shelly Pro 4PM smart relays for load control or switching applications should update immediately. This affects users in manufacturing, building automation, and utility metering who depend on these relays for process control.

How it could be exploited

An attacker on the same local network (AV:A) sends a crafted request that exhausts the device's resources (CWE-770 uncontrolled resource consumption), causing the device to become unresponsive and unable to accept new commands or send telemetry.

Prerequisites

Local network access to the Shelly Pro 4PM device
Device running firmware version earlier than 1.6.0
No authentication required

No authentication requiredLow complexityAffects relay control and process continuityLocal network access only (reduces internet-based attack risk)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Pro 4PM: <v1.6<v1.61.6.0+

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGDisable internet-facing access to Shelly Pro 4PM devices; keep them on a segmented control network only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Shelly Pro 4PM firmware to version 1.6.0 or later

Long-term hardening

0/1

HARDENINGIsolate Shelly Pro 4PM devices from the general business network and restrict access to authorized management workstations only

CVEs (1)

CVE-2025-11243

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e56388f-3e19-440f-bae6-f88579ae1c44

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.