CVE-2025-34500

Summary

Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's USB update port - can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device's integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units.

Affected Software

VendorProductVersion RangeStatus
Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc.Deck Mate 20 < all known versions prior to 2025-10-23affected

Weaknesses

  • CWE-321: CWE-321 Use of Hard-coded Cryptographic Key
  • CWE-327: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
  • CWE-347: CWE-347 Improper Verification of Cryptographic Signature

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References