1. EXECUTIVE SUMMARY
- CVSS v4 8.3
- ATTENTION: Low attack complexity
- Vendor: Shelly
- Equipment: Pro 3EM
- Vulnerability: Out-of-Bounds Read
2. RISK EVALUATION
Successful exploitation of this vulnerability could result in a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of Pro 3EM, a smart DIN rail switch, is affected:
- Pro 3EM: all versions
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS READ CWE-125
By sending a specially crafted Modbus request, an attacker can direct the device to access an illegal data address without standard error handling, causing the device to reboot and leading to a denial-of-service condition.
CVE-2025-12056 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-12056. A base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Bulgaria
3.4 RESEARCHER
Gabriele Quagliarella of Nozomi Networks reported this vulnerability to CISA.
4. MITIGATIONS
Shelly did not respon
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: