CISA issues alert on Shelly Pro 4PM vulnerability causing denial of service

The Shelly Pro 4PM smart DIN rail switch models with firmware versions before 1.6 contain a vulnerability related to unrestricted allocation of resources, which can lead to Denial of Service (DoS) conditions upon exploitation.

The vulnerability, identified as CVE-2025-11243, affects the device's JSON parser within its Resource Provisioning Controller (RPC). An attacker who sends a carefully crafted request to any RPC endpoint can trigger excessive memory allocation, prompting the device to reboot and causing a DoS state. Shelly Pro 4PM devices running firmware versions prior to 1.6 are impacted by this issue. The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) version 3 base score of 7.4 with the vector (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and a CVSS version 4 base score of 8.3 with vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

Exploitation can result in service interruption due to device rebooting caused by the JSON parser's excessive memory allocation, leading to DoS.

There is no response from the vendor to coordination attempts. Users are advised to upgrade their Shelly Pro 4PM devices to firmware version 1.6 or later, as these versions do not exhibit the vulnerability.

Recommendations include limiting network exposure of affected systems by preventing direct internet access, isolating control system networks behind firewalls, and utilizing secure remote access mechanisms such as virtual private networks (VPNs) while maintaining updated software versions. Organizations should conduct thorough impact and risk assessments before applying any defensive controls. Further guidance is available through established control systems security practices and technical information papers provided by cybersecurity authorities. Suspected malicious activities should be handled according to internal procedures and reported for incident correlation. To date, no public exploitation or remote exploitability of this vulnerability has been reported.