CVE-2025-34501 HIGH

CVE-2025-34501: Shuffle Master Deck Mate 2 Hard-coded Credentials & Exposed Services

Vendor Light & Wonder, Inc. / Shfl Entertainment, Inc. / Shuffle Master, Inc.
Product Deck Mate 2
Weakness CWE-798 · Hardcoded credentials
Published November 3, 2025
Last update November 5, 2025

CVSS base score

7.0/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.

Key dates

02Disclosure timeline

November 3, 2025 CVE published
November 5, 2025 Record updated