2025 Shelly Pro 3EM ICS Flaw Exposes Modbus Devices to DoS
Executive Summary
In November 2025, a critical Out-of-Bounds Read vulnerability (CVE-2025-12056) was disclosed in the Shelly Pro 3EM, a smart DIN rail switch used in industrial control systems worldwide. Security researchers revealed that a specially crafted Modbus request allows attackers on the adjacent network to trigger an illegal memory access, causing a denial-of-service condition by repeatedly rebooting the device. All versions of the Pro 3EM are affected, including deployments across critical manufacturing sectors. Shelly did not issue an official response, leaving users to rely on CISA defensive guidance.
This incident exemplifies the growing risk of targeted vulnerabilities in widely deployed OT (operational technology) and industrial IoT devices. As criminals and nation-state actors increasingly focus on ICS and critical infrastructure, maintaining robust segmentation, access controls, and secure outbound communications is more relevant than ever.
Why This Matters Now
Industrial control system vulnerabilities targeting device protocols like Modbus are rising, exposing manufacturers to outages and operational disruptions. With automated attacks against critical infrastructure accelerating and vendor coordination sometimes lacking, urgent attention to device network exposure, segmentation, and incident response has become essential.
Attack Path Analysis
The attacker gained initial network access to the Shelly Pro 3EM device's environment, likely via exposed or poorly segmented industrial control networks. Without the need for privilege escalation, they leveraged network reachability and lack of segmentation to send specially crafted Modbus packets, using a known flaw (CVE-2025-12056) to trigger denial-of-service via out-of-bounds reads. Lateral movement could occur in a flat or poorly segmented network topology, potentially targeting adjacent OT devices. Command and Control would be minimal in this scenario but could involve maintaining connectivity to the compromised device. Data exfiltration is unlikely due to the nature of the vulnerability, while the attack's tangible impact is loss of device availability, causing a denial-of-service event in operational technology (OT) systems.
Kill Chain Progression
Initial Compromise
Description
Attacker accesses the industrial network segment where Pro 3EM resides by exploiting a lack of network segmentation or insufficient firewalling.
Related CVEs
CVE-2025-12056
CVSS 7.4An out-of-bounds read vulnerability in Shelly Pro 3EM allows an attacker to cause a denial-of-service condition by sending specially crafted Modbus requests.
Affected Products:
Shelly Pro 3EM – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Denial of Service
Service Stop
Data Manipulation
Block Communication
Modify Controller Tasking
Command and Scripting Interpreter
Network Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protection of Critical Systems
Control ID: 1.4.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Segment and Limit Exposure
Control ID: Network & Environment Isolation
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure vulnerability in smart DIN rail switches threatens power monitoring systems, requiring immediate network segmentation and industrial control systems protection.
Oil/Energy/Solar/Greentech
Energy management devices vulnerable to Modbus-based denial-of-service attacks could disrupt renewable energy monitoring and traditional power generation control systems.
Industrial Automation
Manufacturing control systems using Shelly Pro 3EM devices face operational disruption from out-of-bounds read vulnerabilities in Modbus communication protocols.
Building Materials
Smart building automation and energy monitoring infrastructure exposed to denial-of-service conditions through crafted Modbus requests targeting critical manufacturing processes.
Sources
- Shelly Pro 3EMhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-322-03Verified
- CVE-2025-12056 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-12056Verified
- Vulnerability Advisory: CVE-2025-12056https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-12056Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust segmentation, strict east-west traffic controls, encrypted traffic enforcement, cloud-native firewalls, and continuous anomaly detection would have dramatically reduced unauthorized network reachability, contained the attack surface, and potentially blocked or detected malicious Modbus requests before the device could be impacted.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized or unknown network connections to OT devices.
Control: Cloud Firewall (ACF)
Mitigation: Restricts protocol and port-level exposure to known, allowed entities.
Control: East-West Traffic Security
Mitigation: Prevents spread of malicious traffic or scanning between internal resources.
Control: Threat Detection & Anomaly Response
Mitigation: Detects abnormal device communications and triggers alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound attempts by OT devices.
Enables rapid detection and forensic investigation of system outages.
Impact at a Glance
Affected Business Functions
- Energy Monitoring
- Industrial Automation
Estimated downtime: 2 days
Estimated loss: $50,000
No data exposure; vulnerability leads to denial-of-service condition.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and strict network access controls to isolate industrial devices from unnecessary network exposure.
- • Enforce protocol and port-level policies using cloud-native firewalls to restrict Modbus access only to trusted sources.
- • Apply microsegmentation and east-west traffic controls to prevent lateral movement and contain threats within OT environments.
- • Deploy continuous anomaly detection and response platforms to baseline expected device behavior and highlight malicious activity.
- • Maintain comprehensive visibility and centralized policy across hybrid and multi-cloud deployments to quickly detect and respond to outages or attacks.
