CVE-2025-34503

HIGH

Deck Mate 1 - Code Injection

Title source: llm

Description

Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.

References (2)

[Various Sources] https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf

[Third Party Advisory] https://www.vulncheck.com/advisories/shuffle-master-deck-mate-1-unauthenticated-eeprom-firmware-execution

Scores

CVSS v4 7.0

EPSS 0.0001

EPSS Percentile 2.8%

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1326 CWE-347

Status published

Products (1)

Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc./Deck Mate 1

Published Oct 24, 2025

Tracked Since Feb 18, 2026