CVE-2025-34501 identifies a critical security vulnerability in the Deck Mate 2 device produced by Light & Wonder, Inc. The root cause is the presence of static, hard-coded credentials embedded within the device firmware for both the root shell and the web user interface. These credentials allow administrative access without requiring user-specific authentication. The device runs multiple management services by default, including SSH, HTTP, Telnet, SMB, and X11, which expose attack surfaces accessible primarily through local or near-local access methods. Attackers can exploit physical access points such as USB or Ethernet ports located beneath gaming tables to authenticate using these hard-coded credentials. Once authenticated, attackers gain full control over the system, enabling them to access firmware utilities, alter controller software, and establish persistent backdoors. Although remote exploitation via network, cellular, or telemetry links is theoretically possible, it generally demands additional attacker capabilities or operator misconfigurations, making it less likely. The vendor has addressed some attack vectors by disabling USB access in newer firmware versions, reducing the risk of local exploitation. The vulnerability is assigned a CVSS 4.0 score of 7.0, indicating high severity due to the potential for complete system compromise without requiring user interaction or privileges but limited by the need for physical or near-physical access. This vulnerability falls under CWE-798, which concerns the use of hard-coded credentials, a well-known security anti-pattern that severely undermines device security. No known exploits have been reported in the wild as of the publication date. The affected product is primarily used in gaming and casino environments, where physical access controls and network segmentation are critical to security.

For European organizations, particularly those in the gaming and casino sectors, this vulnerability poses a significant risk of unauthorized administrative access leading to full system compromise. Attackers gaining control over Deck Mate 2 devices can manipulate gaming outcomes, disrupt operations, or install persistent malware, potentially causing financial losses and reputational damage. The presence of multiple enabled management services increases the attack surface, and physical or near-physical access requirements highlight the importance of physical security controls. Additionally, compromised devices could serve as pivot points for lateral movement within corporate networks, threatening broader IT infrastructure. Regulatory compliance risks also arise, as unauthorized access and manipulation of gaming devices may violate industry standards and data protection laws such as GDPR. The potential for remote exploitation, although limited, cannot be fully discounted in certain configurations, increasing the threat scope. Overall, the vulnerability could undermine trust in gaming operations and lead to significant operational and legal consequences for European operators.

European organizations should prioritize updating Deck Mate 2 devices to the latest firmware versions that disable USB access and address hard-coded credential issues if patches become available. Until patches are released, organizations must enforce strict physical security controls to prevent unauthorized access to USB and Ethernet ports beneath gaming tables, including tamper-evident seals and surveillance. Network segmentation should isolate gaming devices from broader corporate networks to limit lateral movement in case of compromise. Disable or restrict unnecessary management services (SSH, Telnet, SMB, X11, HTTP) on the devices to reduce attack surfaces. Implement strong monitoring and logging of device access and network traffic to detect anomalous activities promptly. Where possible, replace devices with known hard-coded credentials with more secure alternatives. Conduct regular security audits and penetration testing focusing on physical and network access to gaming devices. Train staff on the risks associated with physical access to critical gaming infrastructure and enforce strict access control policies. Collaborate with the vendor for timely updates and guidance on secure configurations. Finally, consider deploying intrusion detection systems tailored to detect exploitation attempts on these devices.