Shelly Pro 3EM

MonitorCVSS 7.4ICS-CERT ICSA-25-322-03Nov 18, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in the Shelly Pro 3EM smart electrical meter. An attacker on the local network can send a crafted message to the device, causing it to become unresponsive and unable to report power measurements. The vulnerability affects all versions of the Pro 3EM. Shelly has not responded to CISA coordination requests and has not indicated plans to release a patch. Exploitation requires local network access and does not require authentication.

What this means

What could happen

An attacker on the local network could disrupt the Shelly Pro 3EM device, preventing it from measuring and reporting electrical data, which could blind operators to grid or facility power conditions.

Who's at risk

Water utilities and municipal electric utilities that use Shelly Pro 3EM devices for real-time monitoring of three-phase electrical distribution and energy measurement. Any facility using this device for billing, load analysis, or operational visibility is affected.

How it could be exploited

An attacker with access to the local network (e.g., compromised office network, rogue WiFi, or connected to the same Ethernet segment as the device) could send a crafted message to the Shelly Pro 3EM to trigger a denial-of-service condition, causing the device to become unresponsive.

Prerequisites

Local network access to the Shelly Pro 3EM device (not remotely exploitable)
No authentication required

No authentication requiredLow complexity attackNo patch availableAffects monitoring and visibility of critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Pro 3EM: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate the Shelly Pro 3EM device behind a firewall and restrict local network access to only trusted interfaces or systems that need to communicate with it

HARDENINGSegment the network so that the Shelly Pro 3EM is not on the same network as untrusted systems or business office networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor the device for unexpected restarts or loss of connectivity, which could indicate an exploitation attempt

Mitigations - no patch available

0/1

Pro 3EM: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf remote access to the device is required, implement it through a VPN and keep the VPN software updated to the latest version

CVEs (1)

CVE-2025-12056

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e28b6b6-6988-4ab9-80b9-c675af6058f4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.