Home

Description

Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.

PUBLISHED Reserved 2025-04-15 | Published 2025-11-03 | Updated 2025-11-05 | Assigner VulnCheck




HIGH: 7.0CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unknown

Any version before all known versions prior to 2025-10-23
affected

Credits

Joseph Tartaro of IOActive finder

Enrique Nissim of IOActive finder

Ethan Shackelford of IOActive finder

References

www.ioactive.com/...5/05/IOActive-card-shuffler-security.pdf technical-description exploit

www.vulncheck.com/...-coded-credentials-and-exposed-services third-party-advisory

cve.org (CVE-2025-34501)

nvd.nist.gov (CVE-2025-34501)

Download JSON