Vulnerability Description
Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.
Related Weaknesses (CWE)
References
- https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-secur
- https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-hard-coded-crede
FAQ
What is CVE-2025-34501?
CVE-2025-34501 is a documented vulnerability. Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an...
How severe is CVE-2025-34501?
CVSS scoring is not yet available for CVE-2025-34501. Check NVD for updates.
Is there a patch for CVE-2025-34501?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.