Home

Description

Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-24 | Updated 2025-10-27 | Assigner VulnCheck




HIGH: 7.0CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-347 Improper Verification of Cryptographic Signature

CWE-1326 Missing Immutable Root of Trust in Hardware

Product status

Default status
unknown

Any version before unknown
affected

Credits

Joseph Tartaro of IOActive finder

Enrique Nissim of IOActive finder

Ethan Shackelford of IOActive finder

References

www.ioactive.com/...5/05/IOActive-card-shuffler-security.pdf technical-description exploit

www.vulncheck.com/...authenticated-eeprom-firmware-execution third-party-advisory

cve.org (CVE-2025-34503)

nvd.nist.gov (CVE-2025-34503)

Download JSON