OTPulse
FeedAboutContact

Shelly Pro 4PM

Plan Patch7.4ICS-CERT ICSA-25-322-02Nov 18, 2025
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A resource exhaustion vulnerability in Shelly Pro 4PM firmware versions below 1.6.0 allows an attacker on the local network to cause a denial-of-service condition, rendering the device unresponsive. The vulnerability is triggered by sending a specially crafted network message and requires no authentication. Firmware version 1.6.0 and later are not vulnerable.

What this means
What could happen
An attacker on the same local network could crash the Shelly Pro 4PM relay device, causing loss of control over the connected circuits until the device restarts. This could disrupt HVAC, lighting, motor, or load control in facilities that depend on remote management.
Who's at risk
Facilities management, utilities, and building automation teams managing Shelly Pro 4PM relay controllers used for HVAC, lighting, motor control, or load switching in municipal utilities, water authorities, and industrial plants.
How it could be exploited
An attacker with access to the same network segment as the Shelly Pro 4PM sends a specially crafted network message that triggers a resource exhaustion condition in the device firmware. The device becomes unresponsive and must be manually restarted to restore function.
Prerequisites
  • Network access to the Shelly Pro 4PM on the same LAN (not remotely exploitable)
  • No authentication required
Low complexity exploitationNo authentication requiredAffects device availabilityVendor did not coordinate or provide timely fix
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Pro 4PM: <v1.6<v1.61.6.0 or later
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict network access to the Shelly Pro 4PM using firewall rules or network segmentation; ensure it is not reachable from the internet or untrusted business networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Shelly Pro 4PM to firmware version 1.6.0 or later
Long-term hardening
0/1
HARDENINGIsolate Shelly Pro 4PM devices on a dedicated control network segment separate from general office networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2e56388f-3e19-440f-bae6-f88579ae1c44