CVE-2025-34500

CVSS v4.0

7.0

High

Vector

AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Deck Mate 2 (affected versions not specified)

Description The firmware update mechanism for Deck Mate 2 does not verify cryptographic signatures on update packages. Updates are encrypted using a single, hard-coded AES key shared across all devices and employ a truncated HMAC for integrity validation. This allows attackers with access to the update interface, typically through the USB port, to create or modify firmware packages to execute arbitrary code as root. This could lead to a persistent compromise of the device's integrity and the randomization process. Physical access or on-premises network access is the most likely attack vector, though remote exploitation is theoretically possible with misconfigured network or telemetry deployments.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

LPE

Use of a Broken Cryptographic Algorithm

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-321CWE-327CWE-347

Related Identifiers

CVE-2025-34500

Affected Products

Deck Mate 2

CVE-2025-34500

Weakness Enumeration

Related Identifiers

Affected Products

References · 12