All news with #shelly tag

Shelly Pro 3EM Out-of-Bounds Read Causes Reboots and DoS

⚠️ A remote-accessible out-of-bounds read vulnerability (CVE-2025-12056) in Shelly Pro 3EM can be triggered by a specially crafted Modbus request to force the device to access illegal memory addresses and reboot. CISA assigns a CVSS v4 score of 8.3 and warns this may result in a denial-of-service condition. Shelly did not respond to coordination; users should contact the vendor, keep devices updated, minimize network exposure, and follow recommended ICS defensive practices.

CISA Issues Six New Industrial Control Systems Advisories

🔔 CISA released six Industrial Control Systems (ICS) advisories detailing current security issues, vulnerabilities, and potential exploits affecting multiple vendors and products. The advisories cover Schneider Electric products (including EcoStruxure Machine SCADA Expert, Pro-face BLUE Open Studio, and PowerChute Serial Shutdown), Shelly Pro devices, and METZ CONNECT hardware. One advisory is an update (B) to a prior Schneider Electric notice. Users and administrators are encouraged to review the technical details and apply recommended mitigations promptly.

Shelly Pro 4PM DoS Vulnerability (CVE-2025-11243)

⚠ A vulnerability in Shelly Pro 4PM (CVE-2025-11243) can cause device reboots and denial-of-service conditions. Due to insufficient input bounds checking in the device's JSON parser, specially crafted RPC requests can trigger memory overallocation and force a reboot. Devices running firmware prior to v1.6 are affected; CISA notes the exploit is reachable from adjacent networks with low attack complexity. Operators should update to v1.6.0 or later and limit network exposure.