{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-34502", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.611Z", "datePublished": "2025-10-24T23:04:11.948Z", "dateUpdated": "2025-10-27T15:57:43.141Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["Bootloader / kernel / filesystem integrity verification"], "product": "Deck Mate 2", "vendor": "Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc.", "versions": [{"lessThan": "all known versions prior to 2025-10-23", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Joseph Tartaro of IOActive"}, {"lang": "en", "type": "finder", "value": "Enrique Nissim of IOActive"}, {"lang": "en", "type": "finder", "value": "Ethan Shackelford of IOActive"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div></div><div>Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues.<br></div></div>"}], "value": "Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1326", "description": "CWE-1326 Missing Immutable Root of Trust in Hardware", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-10-24T23:04:11.948Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-missing-secure-boot"}], "source": {"discovery": "UNKNOWN"}, "title": "Shuffle Master Deck Mate 2 Missing Secure Boot", "x_generator": {"engine": "Vulnogram 0.4.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:39:03.515028Z", "id": "CVE-2025-34502", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:57:43.141Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-27T15:39:03.515028Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:39:08.036Z"}}], "cna": {"title": "Shuffle Master Deck Mate 2 Missing Secure Boot", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Joseph Tartaro of IOActive"}, {"lang": "en", "type": "finder", "value": "Enrique Nissim of IOActive"}, {"lang": "en", "type": "finder", "value": "Ethan Shackelford of IOActive"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Light & Wonder, Inc. / SHFL Entertainment, Inc. / Shuffle Master, Inc.", "modules": ["Bootloader / kernel / filesystem integrity verification"], "product": "Deck Mate 2", "versions": [{"status": "affected", "version": "0", "lessThan": "all known versions prior to 2025-10-23", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf", "tags": ["technical-description", "exploit"]}, {"url": "https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-missing-secure-boot", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.4.0"}, "descriptions": [{"lang": "en", "value": "Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues.", "supportingMedia": [{"type": "text/html", "value": "<div><div></div><div>Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues.<br></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1326", "description": "CWE-1326 Missing Immutable Root of Trust in Hardware"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2025-10-24T23:04:11.948Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34502", "state": "PUBLISHED", "dateUpdated": "2025-10-27T15:57:43.141Z", "dateReserved": "2025-04-15T19:15:22.611Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-10-24T23:04:11.948Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues."}], "id": "CVE-2025-34502", "lastModified": "2025-10-27T13:20:15.637", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-10-24T23:15:46.893", "references": [{"source": "[email protected]", "url": "https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf"}, {"source": "[email protected]", "url": "https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-missing-secure-boot"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1326"}], "source": "[email protected]", "type": "Secondary"}]}

{}