CVE-2025-11243 is a vulnerability classified under CWE-770, which pertains to the allocation of resources without proper limits or throttling. This issue exists in the Shelly Pro 4PM smart device firmware versions before 1.6. The vulnerability allows an unauthenticated attacker to send network requests that cause the device to allocate excessive resources, such as memory or processing capacity, without any mechanism to limit or throttle these allocations. This can lead to resource exhaustion, resulting in denial of service (DoS) conditions where the device becomes unresponsive or crashes. The CVSS 4.0 vector indicates that the attack can be performed remotely (Attack Vector: Adjacent Network), requires low attack complexity, no privileges, no user interaction, and has a high impact on availability. The vulnerability does not affect confidentiality or integrity directly but severely impacts availability, which is critical for devices often used in smart home or industrial automation scenarios. No public exploits have been reported yet, but the high severity score suggests that exploitation could disrupt operations significantly. The lack of patch links indicates that a fix might be pending or not yet publicly released, emphasizing the need for proactive mitigation. Given the device’s role in power management and automation, such disruptions could cascade into broader operational issues.

For European organizations, especially those relying on Shelly Pro 4PM devices for smart building management, industrial automation, or energy monitoring, this vulnerability poses a significant risk of service disruption. A successful exploitation could lead to denial of service, causing devices to become unresponsive and potentially interrupting critical infrastructure operations. This could affect manufacturing plants, data centers, and smart grid components, leading to operational downtime and financial losses. Additionally, the inability to control or throttle resource allocation could be exploited in coordinated attacks to amplify impact across multiple devices. The disruption of power management or automation systems could also have safety implications in industrial environments. Given the increasing adoption of IoT devices in Europe, the vulnerability could undermine trust in smart device deployments and necessitate costly incident response and recovery efforts.

1. Update the Shelly Pro 4PM devices to firmware version 1.6 or later as soon as the patch becomes available from the vendor. 2. Until patches are applied, implement network-level rate limiting and traffic shaping to restrict the volume of requests directed at Shelly devices, especially from untrusted networks. 3. Segment IoT devices on separate VLANs or network zones with strict access controls to limit exposure to potential attackers. 4. Monitor network traffic for unusual spikes or patterns indicative of resource exhaustion attempts targeting Shelly devices. 5. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous behavior related to resource allocation abuse. 6. Conduct regular audits of IoT device firmware versions and configurations to ensure timely patching and compliance. 7. Engage with the vendor for timely updates and advisories regarding this vulnerability and any related security improvements.