CVE-2025-34502
7
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc. | Deck Mate 2 | 0 < all known versions prior to 2025-10-23 | affected |
Weaknesses
- CWE-1326: CWE-1326 Missing Immutable Root of Trust in Hardware
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf
- https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-missing-secure-boot
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.