CVE-2025-34501

Brute Force

Deck Mate 2 is distributed with static, hard-coded credentials for the root shell and web user interface, while multiple management services (SSH, HTTP, Telnet, SMB, X11) are enabled by default. If an attacker can reach these interfaces - most often through local or near-local access such as connecting to the USB or Ethernet ports beneath the table - the built-in credentials permit administrative login and full control of the system. Once authenticated, an attacker can access firmware utilities, modify controller software, and establish persistent compromise. Remote attack paths via network, cellular, or telemetry links may exist in specific configurations but generally require additional capabilities or operator error. The vendor reports that USB access has been disabled in current firmware builds.
https://nvd.nist.gov/vuln/detail/CVE-2025-34501

Categories

CWE-798 : Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key. Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code. Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods. This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed. For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key. If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection. Condition Monitor firmware has a maintenance interface with hard-coded credentials Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation Distributed Control System (DCS) has hard-coded passwords for local shell access Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288] Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port Installation script has a hard-coded secret token value, allowing attackers to bypass authentication SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm FTP server library uses hard-coded usernames and passwords for three default accounts Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code Server uses hard-coded authentication key Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface Security appliance uses hard-coded password allowing attackers to gain root access Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs VoIP product uses hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system

References

disclosure@vulncheck.com

https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-se...
https://www.vulncheck.com/advisories/shuffle-master-deck-mate-2-hard-coded-cr...

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
191	Read Sensitive Constants Within an Executable	Low
70	Try Common or Default Usernames and Passwords An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.	High

MITRE

Techniques

id	description
T1078.001	Valid Accounts:Default Accounts
T1552.001	Unsecured Credentials:Credentials in files
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1027	Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.
M1017	Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee