CVE-2025-34500 – Shuffle Master Deck Mate 2 Insecure Update Chain

CVE ID : CVE-2025-34500

Published : Oct. 24, 2025, 11:15 p.m. | 1 hour, 28 minutes ago

Description : Deck Mate 2’s firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface – typically via the unit’s USB update port – can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device’s integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units.

Severity: 7.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…