CVE-2025-11243 is a vulnerability classified under CWE-770, which pertains to allocation of resources without limits or throttling, found in the Shelly Pro 4PM smart device firmware versions before 1.6. This vulnerability allows an unauthenticated attacker to send network requests that cause the device to allocate excessive resources, such as memory or processing power, without any effective throttling or limitation mechanisms. The absence of authentication, user interaction, or privileges required lowers the barrier for exploitation. The excessive allocation can lead to resource exhaustion, resulting in denial of service (DoS) conditions where the device becomes unresponsive or crashes. The CVSS 4.0 base score is 8.3, reflecting high severity due to the network attack vector, low attack complexity, no privileges or user interaction needed, and a high impact on availability. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant risk to environments relying on Shelly Pro 4PM devices for smart power management and automation. The Shelly Pro 4PM is commonly used in smart buildings, industrial automation, and energy management, making the vulnerability relevant for organizations deploying IoT infrastructure. The lack of patch links suggests that a fix may be forthcoming or pending release. The vulnerability was reserved in early October 2025 and published in November 2025, indicating recent discovery and disclosure.

For European organizations, the impact of CVE-2025-11243 can be substantial, particularly for those relying on Shelly Pro 4PM devices in critical infrastructure such as smart buildings, manufacturing facilities, and energy management systems. Exploitation can lead to denial of service, causing operational disruptions, loss of monitoring and control capabilities, and potential safety risks if power management is affected. This can result in financial losses due to downtime and damage to reputation. The vulnerability's network-based exploitation vector means attackers can launch attacks remotely, increasing the threat surface. Given the increasing adoption of IoT and smart devices across Europe, the risk is amplified. Organizations in sectors with stringent availability requirements, such as healthcare, manufacturing, and utilities, are especially vulnerable. Additionally, disruption in energy management devices could have cascading effects on energy efficiency and regulatory compliance. The absence of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2025-11243, European organizations should prioritize updating Shelly Pro 4PM devices to firmware version 1.6 or later once the patch is officially released. Until then, network-level controls should be implemented to restrict access to these devices, including segmentation of IoT networks, use of firewalls, and limiting inbound traffic to trusted sources only. Monitoring network traffic for unusual spikes or patterns targeting Shelly devices can help detect exploitation attempts early. Employing rate limiting and anomaly detection on network gateways can reduce the risk of resource exhaustion attacks. Organizations should also inventory all Shelly Pro 4PM devices to ensure none are overlooked. Where possible, disable or restrict remote management interfaces to reduce exposure. Engaging with the vendor for timely updates and security advisories is critical. Finally, integrating these devices into broader IoT security frameworks and incident response plans will enhance resilience against exploitation.