CVE-2025-34501

HIGH EPSS 5.9%
Published Nov 3, 20258mo ago · Modified Jun 17, 20262w ago
7.0 CVSS 4.0
High
Find Similar
Published Nov 3, 2025 8mo ago
Last Modified Jun 17, 2026 2w ago

Description

Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.

CVSS Details

Base Score
7.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Physical
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
5.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-798 Use of Hard-coded Credentials Authentication

References 2

  • ioactive.com https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf
  • vulncheck.com https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-hard-coded-credentials-and-exposed-services

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.