Vulnerability Description
Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's USB update port - can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device's integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units.
Related Weaknesses (CWE)
References
- https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-secur
- https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-insecure-update-
- https://www.wired.com/story/card-shuffler-hack/
- https://www.wired.com/story/how-hacked-card-shufflers-allegedly-enabled-a-mob-fu
FAQ
What is CVE-2025-34500?
CVE-2025-34500 is a documented vulnerability. Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC f...
How severe is CVE-2025-34500?
CVSS scoring is not yet available for CVE-2025-34500. Check NVD for updates.
Is there a patch for CVE-2025-34500?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.