CVE-2025-34500— Shuffle Master Deck Mate 2 Insecure Update Chain
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-34500
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Shuffle Master Deck Mate 2 Insecure Update Chain
Source: NVD (National Vulnerability Database)
Vulnerability Description
Deck Mate 2's firmware update mechanism accepts packages without cryptographic signature verification, encrypts them with a single hard-coded AES key shared across devices, and uses a truncated HMAC for integrity validation. Attackers with access to the update interface - typically via the unit's USB update port - can craft or modify firmware packages to execute arbitrary code as root, allowing persistent compromise of the device's integrity and deck randomization process. Physical or on-premises access remains the most likely attack path, though network-exposed or telemetry-enabled deployments could theoretically allow remote exploitation if misconfigured. The vendor confirmed that firmware updates have been issued to correct these update-chain weaknesses and that USB update access has been disabled on affected units.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的密码学密钥
Source: NVD (National Vulnerability Database)
Vulnerability Title
Light & Wonder Deck Mate 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Light & Wonder Deck Mate是英国Light & Wonder公司的一款自动发牌设备。 Light & Wonder Deck Mate存在安全漏洞,该漏洞源于固件更新机制未验证加密签名并使用硬编码AES密钥,可能导致执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc. | Deck Mate 2 | 0 ~ all known versions prior to 2025-10-23 | - |
II. Public POCs for CVE-2025-34500
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-34500
请登录查看更多情报信息。
Same Patch Batch · Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc. · 2025-10-24 · 3 CVEs total
| CVE-2025-34503 | Shuffle Master Deck Mate 1 Unauthenticated EEPROM Firmware Execution | |
| CVE-2025-34502 | Shuffle Master Deck Mate 2 Missing Secure Boot |
IV. Related Vulnerabilities
Same weakness: CWE-321
- CVE-2026-8243
Industrial Application Software IAS Canias ERP JNLP Deployme - CVE-2026-6787
Usage of a hard-coded cryptographic key in WatchGuard Agent - CVE-2026-42518
Information Disclosure Vulnerability in e-Sushrut HMIS - CVE-2026-7306
Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard - CVE-2026-32644
Milesight Cameras Use of Hard-coded Cryptographic Key
V. Comments for CVE-2025-34500
No comments yet