SYDNEY, 16 December 2025 – Nozomi Networks Labs has found vulnerabilities in Shelly Pro 4PM, the smart network-connected relay used to monitor and control four electrical circuits. The device is often found in homes, smart buildings and light industrial environments to turn things on and off, measure power and works with automation platforms via its web interface and APIs.
Nozomi Networks Labs discovered an impactful issue: by sending an oversized request through the device’s remote-control interface, an attacker (or even a misbehaving integration) can force the Shelly Pro 4PM to reboot. This affects the use of power – users may find homes left in the dark or in some set ups, unable to open a garage door or gate remotely. This denial-of-service behaviour isn’t limited to a single function; it affects 30 API methods, making repeatable outages possible without special privileges.
The Shelly Pro 4PM is a four‑channel smart relay with power metering on each channel, it connects by Ethernet, Wi‑Fi, or Bluetooth. Setup and day‑to‑day control are handled through a local web dashboard.
Each relay channel controls a single circuit and has an “action on power on” setting that determines its state after a reboot (On, Off, Restore last, or Match input). If the device encounters an unexpected fault and reboots, it briefly stops responding. When it comes back online, each channel applies that setting. If a channel returns to Off, such as during a reboot, the circuits it feeds—lighting, or an outlet powering your Wi-Fi, intercom, or garage/gate controller—remain down until you restore power or toggle the relay.
The input‑handling weakness identified in the Shelly Pro 4PM’s JSON‑RPC interface can present meaningful operational risks, especially where the relay controls critical loads. Examples of potential attack scenarios include:
- Denial of Control (T0813). A crafted oversized request can force the device to reboot. During these events, the relay becomes temporarily unavailable, which can lead to missed schedules, loss of remote control, and service interruptions. Repeated requests can prolong downtime and increase maintenance effort.
- Denial of View (T0815). While the device is restarting, power‑metering data and status updates are not available. This creates blind spots in dashboards and alerting, reducing the ability to detect abnormal consumption or confirm that commands have taken effect.
- Loss of Safety (T0880). When the relay governs pumps, heaters, gates, lighting, or similar equipment, an outage can delay on/off actions or leave circuits in an undesired state until staff intervene. In facilities that depend on timely switching (e.g., HVAC or water circulation), this can translate into discomfort, process deviation, or equipment stress.
The research shows that unexpected inputs to multiple JSON‑RPC methods on the Shelly Pro 4PM v1.4.4 can exhaust resources and trigger device reboots. While the issue does not enable code execution or data theft, it can be used to systematically cause repeatable outages—impacting automation routines and visibility in both home and building contexts.
For more information:
- Read the blog: https://www.nozominetworks.com/blog/shelly-pro-4pm-vulnerabilities
- Visit Nozomi Networks’ Website: Nozomi Arc
- Request a Demo
About Nozomi Networks
Nozomi Networks protects the world’s critical infrastructure from cyber threats. Our platform uniquely combines network and endpoint visibility, threat detection, and AI-powered analysis for faster, more effective incident response. Customers rely on us to minimize risk and complexity while maximizing operational resilience.
www.nozominetworks.com
PR Archives: Latest, By Company, By Date