CVE-2025-34500
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's USB update port - can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device's integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc. | Deck Mate 2 | 0 < all known versions prior to 2025-10-23 | affected |
Weaknesses
- CWE-321: CWE-321 Use of Hard-coded Cryptographic Key
- CWE-327: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
- CWE-347: CWE-347 Improper Verification of Cryptographic Signature
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf
- https://www.wired.com/story/card-shuffler-hack/
- https://www.wired.com/story/how-hacked-card-shufflers-allegedly-enabled-a-mob-fueled-poker-scam-that-rocked-the-nba/
- https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-insecure-update-chain
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.