Shelly Pro 3EM

Monitor7.4ICS-CERT ICSA-25-322-03Nov 18, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Shelly Pro 3EM smart energy meters affecting all versions. An attacker on the local network can craft a packet that causes the device to stop responding, interrupting energy monitoring. The vulnerability requires no authentication. Shelly did not respond to CISA coordination attempts and no patch is currently available. The vulnerability is not remotely exploitable from the internet but affects any device reachable on the internal network.

What this means

What could happen

An attacker on the local network can force the Shelly Pro 3EM energy meter to stop responding, interrupting power monitoring and potentially affecting billing, load balancing, or automated control systems that depend on real-time energy data.

Who's at risk

Water utilities, municipal electric systems, and other industrial facilities using Shelly Pro 3EM smart energy meters for real-time power monitoring and demand response. This affects any automated system that relies on continuous energy telemetry data for load balancing, billing automation, or process control decisions.

How it could be exploited

An attacker with access to the same local network segment (Ethernet or Wi-Fi) as the device can send a specially crafted packet to trigger a denial-of-service condition, causing the Pro 3EM to become unresponsive. The device must be reachable on the network for the attack to succeed.

Prerequisites

Direct or routed network access to the Pro 3EM device on the local network (AV:A - adjacent network)
No credentials or authentication required
No special configuration needed - all versions are affected

No patch available from vendorAffects energy monitoring and operational visibilityLow attack complexity (no special tools or credentials required)Local network access required (reduces internet-facing risk but not LAN risk)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Pro 3EM: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate Shelly Pro 3EM devices from direct internet access and untrusted networks using firewall rules or network segmentation

HARDENINGRestrict network access to Pro 3EM to only trusted management workstations and SCADA/monitoring systems using access control lists or VLANs

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Shelly Pro 3EM for unexpected outages and loss of energy telemetry; establish alerting if the device stops responding

HOTFIXContact Shelly for patched firmware versions and test in non-production environment before deployment

HOTFIXIf update becomes available, schedule maintenance window to update all Pro 3EM devices to patched version

CVEs (1)

CVE-2025-12056

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3e28b6b6-6988-4ab9-80b9-c675af6058f4