CVE-2025-30398 is a vulnerability classified under CWE-862 (Missing Authorization) affecting Microsoft Nuance PowerScribe 360 version 4.0.5, a widely used radiology reporting software. The flaw arises because the software fails to enforce proper authorization checks, allowing an attacker without any privileges to access sensitive information over the network. The CVSS v3.1 score of 8.1 reflects a high-severity issue, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is unaffected (A:N). This means an attacker can potentially exfiltrate or manipulate sensitive patient data remotely without authentication, posing a significant risk to data confidentiality and integrity. Although no known exploits are currently reported in the wild, the vulnerability's nature and impact make it a critical concern for healthcare providers. The lack of available patches increases the urgency for interim mitigations. The vulnerability was publicly disclosed on November 11, 2025, with the issue reserved since March 2025. The affected product is primarily deployed in healthcare environments, where patient data privacy is paramount, making this vulnerability particularly sensitive. The requirement for user interaction suggests that exploitation might involve tricking a user into performing an action, such as clicking a link or opening a file, which could be leveraged in targeted phishing campaigns. Overall, this vulnerability represents a significant risk to the confidentiality and integrity of medical data handled by PowerScribe 360 installations.

For European organizations, especially those in the healthcare sector, this vulnerability poses a severe risk to patient data confidentiality and integrity. Unauthorized disclosure of sensitive medical information can lead to privacy violations, regulatory penalties under GDPR, and loss of patient trust. The integrity impact means attackers could potentially alter diagnostic reports, leading to misdiagnosis or improper treatment. Since the vulnerability can be exploited remotely over the network without privileges, it increases the attack surface significantly. The requirement for user interaction suggests phishing or social engineering could be vectors, which are common attack methods in Europe. The absence of patches means organizations must rely on compensating controls, increasing operational complexity. Healthcare providers in Europe are heavily regulated and must ensure compliance with strict data protection laws, making this vulnerability particularly critical. Additionally, disruption or manipulation of medical data can have direct consequences on patient safety, elevating the threat beyond typical data breaches. The impact extends to healthcare IT infrastructure, potentially affecting trust in digital health services and increasing costs related to incident response and remediation.

1. Immediately implement network segmentation to isolate Nuance PowerScribe 360 servers from untrusted networks and limit access to only essential personnel and systems. 2. Employ strict access controls and monitor all network traffic to and from the affected systems for unusual or unauthorized access attempts. 3. Educate users on phishing and social engineering risks to reduce the likelihood of user interaction exploitation. 4. Deploy intrusion detection and prevention systems (IDS/IPS) with signatures or heuristics tuned to detect anomalous behavior related to PowerScribe 360. 5. Restrict exposure of the affected software to the internet or external networks; use VPNs or secure tunnels for remote access. 6. Maintain comprehensive logging and audit trails to facilitate rapid detection and forensic analysis in case of exploitation. 7. Coordinate with Microsoft and Nuance for timely updates and patches; prepare to apply them immediately upon release. 8. Conduct regular vulnerability assessments and penetration testing focusing on authorization controls within healthcare applications. 9. Consider implementing data encryption at rest and in transit to mitigate data disclosure risks. 10. Develop and rehearse incident response plans specific to healthcare data breaches involving diagnostic systems.