Hard-Coded Credentials in Deck Mate 2 by Shuffle Master
CVE-2025-34501

7HIGH

Key Information:

Vendor

Light & Wonder, Inc. / Shfl Entertainment, Inc. / Shuffle Master, Inc.

Status
Deck Mate 2
Vendor
CVE Published:
3 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34501?

Deck Mate 2 from Shuffle Master contains hard-coded credentials for both root and web user interfaces, enabling unauthorized access to the system. Several management services—including SSH, HTTP, Telnet, SMB, and X11—are enabled by default, increasing the attack surface. If an attacker gains local or nearby access, they can leverage these credentials for administrative login, leading to full system control. After authentication, the attacker can manipulate firmware utilities and compromise the controller software, potentially establishing long-term access. Although recent firmware updates have disabled USB access, risks remain, particularly if configurations allow remote access through networks or other interfaces.

Affected Version(s)

Deck Mate 2 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34501 - Proof of Concept

References

https://www.ioactive.com/wp-content/uploads/2025/05/IOAct...
technical-descriptionexploit
https://www.vulncheck.com/advisories/shuffle-master-deck-...
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joseph Tartaro of IOActive
Enrique Nissim of IOActive
Ethan Shackelford of IOActive
JSON
.
CVE-2025-34501 : Hard-Coded Credentials in Deck Mate 2 by Shuffle Master