CVE-2025-34503

HIGH EPSS 2.1%

Published Oct 24, 20258mo ago · Modified Jun 17, 20261w ago

7.0 CVSS 4.0

High

Published Oct 24, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.

CVSS Details

Base Score

7.0

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Physical

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

2.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-1326

CWE-347

References 2

ioactive.com https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf
vulncheck.com https://www.vulncheck.com/advisories/shuffle-master-deck-mate-1-unauthenticated-eeprom-firmware-execution

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.