Shuffle Master Deck Mate 2 Hard-Coded Credentials and Exposed Services Vulnerability

A vulnerability exists in the Shuffle Master Deck Mate 2 card shuffler due to hard-coded credentials for the root shell and web user interface. This issue is compounded by multiple management services (SSH, HTTP, Telnet, SMB, X11) being enabled by default. The vulnerability allows for administrative login and full control of the system, including access to firmware utilities and the ability to modify controller software. While the vendor has reported disabling USB access in current firmware builds, such access was available in earlier versions, creating a potential attack vector. Additionally, remote exploitation may be possible in certain configurations, but typically requires extra capabilities or operator error.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access to the shuffler, enabling full control over the device. This includes the ability to manipulate the shuffling process, potentially leading to cheating in poker games by controlling the order of cards dealt to players.

Reproduction

The vulnerability can be reproduced by connecting to the exposed management services via the default-enabled SSH, HTTP, Telnet, SMB, or X11 interfaces. This can be done locally, through the USB or Ethernet ports accessible under the poker table, or remotely in some configurations.

Remediation

The vendor has released a firmware update addressing these vulnerabilities as of October 23, 2025.