CVE-2025-34503
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-24

Last updated on: 2025-10-27

Assigner: VulnCheck

Description
Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-24
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34503
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shuffle_master deck_mate_2 *
shuffle_master deck_mate_1 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1326 A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists because Deck Mate 1 executes firmware directly from an external EEPROM without verifying its authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists even after rebooting the device. This is due to the device lacking modern secure-boot or signed-update mechanisms.

Impact Analysis

If an attacker gains physical access to the device, they can install malicious firmware that runs arbitrary code persistently. This could lead to unauthorized control or manipulation of the device, potentially compromising its functionality and security.

Mitigation Strategies

Because the vulnerability involves executing firmware from an external EEPROM without verification, and no firmware updates are available, immediate mitigation steps include physically protecting the affected systems to prevent unauthorized physical access or retiring the affected devices from service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart