Shelly’s Shellshock: Pro 4PM Vulnerability Sparks Denial-of-Service Drama!

An unpatched Shelly Pro 4PM could have you seeing red with a denial-of-service condition! Due to unchecked input bounds, your smart switch might just outsmart itself by rebooting. While Shelly’s ghosting CISA, users should update past version 1.6 to avoid the technical equivalent of a toddler’s tantrum. View CSAF for more details.

1P
Published: November 18, 2025 5:18 pmAdded: November 18, 2025 at 9:30 amAssembled by: The Editor
Pro Dashboard

Hot Take:

In the realm of cybersecurity, the Shelly Pro 4PM is the equivalent of a party crasher who eats all the snacks and leaves without saying goodbye. With its vulnerability to allocation of resources without limits, it’s the smart switch that’s not quite smart enough to keep hackers at bay. Be prepared, because this could lead to an unwanted blackout party for your devices!

Key Points:

  • CVSS v4 score of 8.3 signals serious vulnerability.
  • Low attack complexity makes it easy for attackers.
  • Pro 4PM devices prior to v1.6 are affected.
  • Attack causes denial-of-service by memory overallocation.
  • Mitigations include network isolation and VPN use.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?