Home

Description

Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-24 | Updated 2025-10-27 | Assigner VulnCheck




HIGH: 7.0CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1326 Missing Immutable Root of Trust in Hardware

Product status

Default status
unknown

Any version before all known versions prior to 2025-10-23
affected

Credits

Joseph Tartaro of IOActive finder

Enrique Nissim of IOActive finder

Ethan Shackelford of IOActive finder

References

www.ioactive.com/...5/05/IOActive-card-shuffler-security.pdf technical-description exploit

www.vulncheck.com/...-master-deck-mate-2-missing-secure-boot third-party-advisory

cve.org (CVE-2025-34502)

nvd.nist.gov (CVE-2025-34502)

Download JSON