CVE-2025-34500 identifies a critical vulnerability in the firmware update mechanism of Deck Mate 2 devices produced by Light & Wonder, Inc. The core issue lies in the use of a single hard-coded AES encryption key embedded in the device firmware, which is shared across all deployed units. This key is used to encrypt firmware update packages, but crucially, the device does not verify cryptographic signatures on these packages before installation. Instead, it relies on a truncated HMAC for integrity validation, which is cryptographically weak and susceptible to forgery or collision attacks. An attacker with access to the device's update interface, most commonly the USB update port, can exploit these weaknesses by crafting malicious firmware packages. Such packages can bypass integrity checks and execute arbitrary code with root privileges, allowing persistent compromise of the device's firmware and manipulation of the deck randomization process. This undermines the device's core function and trustworthiness, especially critical in regulated gaming environments. While physical or on-premises access is the primary attack vector, deployments that expose the update interface over a network or enable telemetry could be remotely exploited if misconfigured. The vendor has responded by releasing firmware updates that remove the hard-coded key, implement proper signature verification, and disable USB update access on affected devices. The vulnerability is classified under CWE-321 (Use of Hard-coded Cryptographic Key), CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), and CWE-347 (Improper Verification of Cryptographic Signature). The CVSS 4.0 vector indicates the attack requires physical access (AV:P), has low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and results in high confidentiality, integrity, and availability impacts (VC:H/VI:H/VA:H). No known exploits are currently reported in the wild.

For European organizations, particularly those in the gaming, gambling, and casino sectors where Deck Mate 2 devices are deployed, this vulnerability poses significant risks. Exploitation can lead to unauthorized manipulation of card decks, undermining game fairness and regulatory compliance, potentially resulting in financial losses, reputational damage, and legal consequences. Persistent root-level compromise could allow attackers to maintain control over devices, evade detection, and manipulate outcomes over extended periods. The integrity and trustworthiness of gaming operations could be severely impacted, affecting customer confidence and regulatory standing. Although physical access is the main attack vector, any misconfigured network or telemetry exposure could broaden the attack surface, increasing risk. Given the criticality of gaming regulations in Europe, especially in countries with large gambling markets, the impact extends beyond technical compromise to regulatory and business continuity concerns.

European organizations should immediately verify that all Deck Mate 2 devices are updated with the vendor's latest firmware that removes the hard-coded AES key, implements robust cryptographic signature verification, and disables USB update access. Physical security controls must be strengthened to restrict unauthorized access to devices, including securing USB ports and monitoring access to on-premises gaming equipment. Network configurations should be audited to ensure that update interfaces and telemetry systems are not exposed externally or to untrusted internal networks. Deploy network segmentation and strict access controls around gaming device infrastructure. Implement continuous monitoring for anomalous firmware update attempts or unexpected device behavior. Where possible, replace affected devices with newer models that incorporate secure update mechanisms. Additionally, conduct regular security assessments and compliance audits to verify that mitigation measures remain effective and that no unauthorized firmware modifications have occurred.