Shelly Pro 4PM 2025 Vulnerability: Unchecked Resource Allocation Triggers Industrial DoS
Executive Summary
In November 2025, a significant vulnerability (CVE-2025-11243) was disclosed in Shelly Pro 4PM, a smart DIN rail switch commonly used in critical manufacturing environments worldwide. The flaw, arising from improper resource allocation and lack of input bounds checking, allowed an attacker on the local network to trigger a denial-of-service condition by sending specially crafted RPC requests. This caused the device to overallocate memory and reboot, risking loss of control or downtime in industrial settings. No exploitation has been reported publicly, but affected firmware versions prior to 1.6 remain at risk until patched.
This incident underscores the persistent risk of denial-of-service vulnerabilities in IoT and industrial devices, especially as connected manufacturing assets proliferate. The failure in secure resource management highlights the growing regulatory and operational focus on robust device security amid expanding threat surfaces.
Why This Matters Now
As industrial and IoT devices become increasingly prevalent in critical infrastructure, vulnerabilities like this illustrate the urgent need for proactive security controls, network isolation, and rapid patching. Resource allocation flaws remain a prime target for threat actors seeking to disrupt operations, making swift detection and mitigation more crucial than ever.
Attack Path Analysis
An attacker accessed a vulnerable Shelly Pro 4PM device via network adjacency and exploited lack of input bounds checking on RPC endpoints to send a crafted request. No privilege escalation was required, given attack complexity, but attacker actions were limited to the targeted device. No lateral movement was detected or required as the attack only required access to the specific device. The attacker maintained a basic communication channel to deliver their payload, but no sophisticated C2 was needed. There is no evidence or mechanism described for exfiltrating data. Ultimately, successful exploitation led to a denial-of-service as the device ran out of resources and rebooted, impacting device availability.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the lack of resource limits on the device's RPC endpoint from an adjacent network to trigger a denial-of-service.
Related CVEs
CVE-2025-11243
CVSS 7.4An allocation of resources without limits or throttling vulnerability in Shelly Pro 4PM versions prior to 1.6 allows excessive allocation via network, potentially leading to a denial-of-service condition.
Affected Products:
Shelly Pro 4PM – < 1.6
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Network Denial of Service
External Remote Services
Exploit Public-Facing Application
Hardware Additions
Impair Defenses
Acquire Infrastructure
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Incident Handling and Resilience
Control ID: Art. 21(2)(d)
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
PCI DSS 4.0 – Protection of Public-Facing Applications
Control ID: Requirement 6.4.1
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Secure Application Development and Deployment
Control ID: Applications Pillar - 3.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
Shelly Pro 4PM DIN rail switches face denial-of-service vulnerabilities affecting industrial control systems, requiring network isolation and firmware updates per CISA advisory.
Utilities
Smart switch vulnerabilities in power distribution systems create operational disruption risks, demanding enhanced network segmentation and zero trust security implementations.
Industrial Automation
JSON parser memory overallocation attacks threaten automated systems reliability, necessitating egress filtering and anomaly detection capabilities for operational continuity.
Building Materials
Manufacturing facility control systems using affected smart switches vulnerable to crafted RPC requests causing device reboots and production line disruptions.
Sources
- Shelly Pro 4PMhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-322-02Verified
- Shelly Pro 4PM Vulnerabilitieshttps://www.nozominetworks.com/blog/shelly-pro-4pm-vulnerabilitiesVerified
- NVD CVE-2025-11243 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-11243Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, and cloud firewall enforcement would have limited attackers' ability to exploit the device from adjacent networks and contained potential lateral movement or DoS proliferation. Granular policy and visibility would further detect or block anomalous attempts at resource exhaustion targeting ICS endpoints.
Control: Zero Trust Segmentation
Mitigation: Unauthenticated requests from untrusted or unauthorized network segments would be blocked.
Control: Cloud Firewall (ACF)
Mitigation: Unnecessary network exposure to RPC endpoints would be minimized.
Control: East-West Traffic Security
Mitigation: Lateral discovery and exploit attempts between workloads would be monitored and limited.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous traffic patterns indicative of exploit attempts are detected quickly.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound communications are tightly controlled to prevent future data loss.
Autonomous, inline controls reduce blast radius and provide operational observability.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems
- Smart Home Automation
Estimated downtime: 2 days
Estimated loss: $50,000
No data exposure reported; primary impact is operational disruption due to device reboots.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to strictly isolate critical OT devices from adjacent network access.
- • Deploy internal east-west traffic controls and microsegmentation to contain lateral exploit attempts across similar devices.
- • Enforce least-privilege firewall policies and restrict RPC management interfaces to designated subnets or identities.
- • Utilize real-time anomaly detection to rapidly identify and respond to denial-of-service or resource exhaustion attempts.
- • Continuously monitor and audit device exposure while maintaining up-to-date firmware to address known vulnerabilities.
