Shuffle Master Deck Mate 2 Missing Secure Boot

Advisories

severity: high
date: October 24, 2025
Affecting: A defined firmware range is unavailable.
The vendor has allegedly released a firmware update addressing the flaws as of 2025-10-23.
CVE: CVE-2025-34502
CWE: CWE-1326 Missing Immutable Root of Trust in Hardware
CVSS: 7
CVSS V4 Vector: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: IOActive Researcher Disclosure
Credit: Joseph Tartaro of IOActive, Enrique Nissim of IOActive, Ethan Shackelford of IOActive
Description: Deck Mate 2 lacks a verified secure-boot chain and runtime integrity validation for its controller and display modules. Without cryptographic boot verification, an attacker with physical access can modify or replace the bootloader, kernel, or filesystem and gain persistent code execution on reboot. This weakness allows long-term firmware tampering that survives power cycles. The vendor indicates that more recent firmware updates strengthen update-chain integrity and disable physical update ports to mitigate related attack avenues.