CISA issues alert for Shelly Pro 3EM vulnerability causing denial of service

The Shelly Pro 3EM smart DIN rail switch contains a vulnerability involving an out-of-bounds read that can lead to the device rebooting, potentially resulting in a Denial of Service (DoS) condition.

This issue, identified as CVE-2025-12056, affects all versions of the Pro 3EM device. It arises when the device processes a specially crafted Modbus request that directs it to access an unauthorized data address without proper error handling. This vulnerability carries a Common Vulnerability Scoring System (CVSS) version 3 base score of 7.4 and a CVSS version 4 base score of 8.3. The vectors correspond to attacks requiring low complexity and no privileges or user interaction, with impacts on availability but not confidentiality or integrity.

The consequence of exploiting this vulnerability is a DoS state caused by device rebooting following the invalid data access.

Shelly, the vendor headquartered in Bulgaria, Decentralized Identity (DID) not respond to coordination attempts by the Cybersecurity and Infrastructure Security Agency (CISA). Users are advised to contact Shelly for updates. CISA recommends minimizing network exposure for these devices, placing control systems behind firewalls, isolating them from business networks, and using secure remote access methods such as virtual private networks while keeping these updated.

Organizations are encouraged to conduct impact analyses and risk assessments before applying defensive measures. Resources with recommended practices for control system security and cyber defense strategies are available on CISA's industrial control systems webpage. Entities detecting suspected malicious activity should follow internal protocols and report incidents to CISA. At this time, there is no indication of public exploitation targeting this vulnerability, which is not exploitable remotely.