SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark control room smart relays glowing red warning outage scene
#
Firewalls
#
Network Security
#
IoT Security

Smart relay flaw risks repeated power & safety outages

Tue, 16th Dec 2025
Author image
By Sean Mitchell, Publisher

Nozomi Networks Labs has identified vulnerabilities in a popular smart relay used in homes, commercial buildings and light industrial sites, raising concerns over remote control of lighting, gates and other electrical circuits.

The research focuses on the Shelly Pro 4PM, a four-channel smart relay that monitors and controls four separate electrical circuits. The device connects over Ethernet, Wi-Fi or Bluetooth. Users manage it through a local web dashboard and automation platforms that use its web interface and application programming interfaces.

Nozomi Networks Labs said it had found an input-handling weakness in the relay's JSON-RPC interface. The flaw affects firmware version 1.4.4.

The issue allows an attacker or faulty integration to send an oversized request through the remote-control interface. This causes the device to reboot. During the reboot, the relay stops responding and becomes temporarily unavailable.

Nozomi said this behaviour can disrupt power supplies that depend on the device. Users could find lights turned off or automation routines interrupted. In some installations, users could not open a connected garage door or gate remotely while the device restarts.

The vulnerability does not enable code execution or data theft. It does enable repeatable outages that disrupt automation and visibility.

The weakness affects 30 API methods in the JSON-RPC interface. Each method can process unexpected input in a way that exhausts the device's resources. The device then reboots.

A single crafted request can trigger a reboot. Repeated requests can keep the device in a cycle of outages.

The Shelly Pro 4PM controls each of its four channels through an "action on power on" setting. Each channel can switch to On, Off, Restore last, or Match input when the relay restarts. The device applies this setting after every reboot.

If the configuration sets a channel to Off after reboot, any connected loads stay down. This can affect lighting circuits or outlets that feed Wi-Fi units, intercoms, or garage and gate controllers. These devices remain unavailable until users restore power or toggle the relay again.

Nozomi Networks Labs said the combination of reboot behaviour and configuration options can create operational risk. The impact depends on what the relay controls in each site.

Operational scenarios

The researchers outlined several scenarios based on common operational technology threat models.

In a "Denial of Control" scenario, a crafted oversized request forces the relay to reboot. The outage removes remote control during the reboot window. This can cause missed schedules and service interruptions. Repeated requests can extend downtime and increase maintenance work.

In a "Denial of View" scenario, the reboot disrupts visibility. While the relay restarts, power metering data and status information are not available. Dashboards and alerts do not receive updates during these periods.

In a "Loss of Safety" scenario, an outage affects equipment such as pumps, heaters, gates or lighting. The delay can leave circuits in an undesired state until staff intervene. Facilities that depend on regular switching, such as HVAC or water circulation, can face process deviations or equipment stress.

Nozomi Networks Labs linked the issue to resource exhaustion within the relay's handling of unexpected inputs. The research showed that malformed or oversized data across multiple JSON-RPC methods can trigger these faults.

The company said the behaviour can affect both home and building environments. It can also affect light industrial installations that use the relay for basic automation and monitoring.

Nozomi Networks specialises in security for industrial and critical infrastructure environments. It researches vulnerabilities in connected operational devices and provides threat detection products.

"Nozomi Networks protects the world's critical infrastructure from cyber threats. Our platform uniquely combines network and endpoint visibility, threat detection, and AI-powered analysis for faster, more effective incident response. Customers rely on us to minimize risk and complexity while maximizing operational resilience," said Nozomi Networks.

The company has published technical details of the Shelly Pro 4PM findings and has urged organisations to review how they deploy the device in environments where unexpected outages could affect safety or continuity.

Related stories
Capture The Bug adds US tech leaders for North American push
Executive-level CISO titles surge amid rising scope strain
Cyb3r Operations raises $5.4m to tackle cyber risk
Asimily boosts Cisco ISE with new device microsegmentation
Deepfake boom fuels relentless wave of celebrity scams

Top stories

Rubrik launches CXO Visionaries for cyber & AI leaders
Lancom gains AoG status for New Zealand government IT
Dropzone AI hires leaders to drive EMEA & APAC push
Cloudflare: outdated apps stifle APAC AI investment gains
Rubrik unveils sovereign cloud to keep sensitive data local