CVE-2025-34503
HIGHDeck Mate 1 - Unauthenticated Arbitrary Code Execution via EEPROM Firmware Replacement
Title source: llmDescription
Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.
References (2)
Core 2
Core References
Various Sources technical-description
exploit
https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/shuffle-master-deck-mate-1-unauthenticated-eeprom-firmware-execution
Scores
CVSS v4
7.0
EPSS
0.0011
EPSS Percentile
1.5%
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1326
CWE-347
Status
published
Products (1)
Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc./Deck Mate 1
Published
Oct 24, 2025
Tracked Since
Feb 18, 2026