CVE-2025-12056 is an out-of-bounds read vulnerability classified under CWE-125 found in the Shelly Pro 3EM smart energy meter devices. The vulnerability exists in firmware versions prior to v1.4.4, allowing an attacker to read memory beyond allocated buffer limits. This can lead to overread of sensitive data stored in adjacent memory areas, potentially exposing confidential information such as cryptographic keys, configuration data, or user credentials. The vulnerability is remotely exploitable without authentication or user interaction, with low attack complexity, as indicated by the CVSS 4.0 vector: AV:A/AC:L/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H. The 'AV:A' (Adjacent Network) means the attacker must be on the same local network or have network adjacency, which is typical for IoT devices. The vulnerability does not affect confidentiality, integrity, or availability directly but has a high impact on confidentiality (VA:H). No known exploits are currently reported in the wild, but the potential for information disclosure is significant. Shelly Pro 3EM devices are used for energy monitoring and management, often integrated into smart building and industrial environments. The vulnerability could be leveraged as a foothold for further attacks or data exfiltration. The lack of patches at the time of reporting means organizations must apply compensating controls until firmware updates are released.

For European organizations, the impact of CVE-2025-12056 could be substantial, especially those relying on Shelly Pro 3EM devices for energy management in critical infrastructure, manufacturing, or commercial buildings. Unauthorized memory reads could expose sensitive operational data or credentials, enabling attackers to map network environments or escalate privileges. This could lead to secondary attacks targeting energy control systems or data theft. Given the increasing integration of IoT devices in European smart grids and industrial control systems, such vulnerabilities pose risks to confidentiality and operational security. While the vulnerability does not directly cause denial of service or integrity violations, the information disclosure could facilitate more damaging attacks. The requirement for network adjacency limits remote exploitation but does not eliminate risk, especially in environments with weak network segmentation or exposed IoT devices. The absence of known exploits currently reduces immediate risk but should not lead to complacency.

1. Immediately inventory all Shelly Pro 3EM devices in your environment and identify firmware versions. 2. Apply firmware updates to version 1.4.4 or later as soon as they become available from Shelly to patch the vulnerability. 3. Until patches are applied, isolate Shelly Pro 3EM devices on dedicated network segments with strict access controls to prevent unauthorized lateral movement. 4. Implement network monitoring focused on IoT device traffic to detect anomalous access patterns or attempts to exploit memory vulnerabilities. 5. Use strong network segmentation and firewall rules to restrict access to Shelly devices only to authorized management systems. 6. Regularly audit device configurations and logs for signs of compromise or unusual activity. 7. Engage with Shelly support or vendor channels for timely updates and security advisories. 8. Consider deploying intrusion detection/prevention systems capable of recognizing exploitation attempts targeting IoT devices. 9. Educate operational technology and IT teams about the risks associated with IoT device vulnerabilities and the importance of patch management.