CVE-2025-30398 is a vulnerability identified in Microsoft Nuance PowerScribe 360 version 4.0.5, a widely used radiology reporting software. The root cause is a missing authorization check (CWE-862), which allows an attacker without any privileges to access sensitive information over the network. Specifically, the software fails to properly verify whether a user or system component is authorized to access certain data or functionality, enabling unauthorized disclosure. The CVSS 3.1 base score of 8.1 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability is unaffected (A:N). Although no exploits have been reported in the wild, the public disclosure means attackers could develop exploits. The vulnerability is particularly concerning in healthcare settings where PowerScribe 360 is used to manage sensitive patient imaging data. Unauthorized disclosure could lead to breaches of patient privacy, regulatory non-compliance (e.g., GDPR), and erosion of trust. The lack of available patches at the time of disclosure necessitates interim mitigations such as network segmentation and monitoring. Given the critical nature of medical data and the reliance on this software in clinical workflows, this vulnerability demands urgent attention from security teams in affected organizations.

The primary impact of CVE-2025-30398 is unauthorized disclosure of sensitive medical information, which can severely compromise patient confidentiality and violate data protection regulations such as GDPR. For European healthcare providers, this could result in significant legal and financial penalties, damage to reputation, and loss of patient trust. The integrity impact means attackers could potentially manipulate or corrupt data, leading to incorrect diagnoses or treatment plans. Although availability is not affected, the breach of confidentiality and integrity in healthcare environments can have life-threatening consequences. The vulnerability's ease of exploitation (no privileges required and low complexity) increases the risk of widespread attacks once exploit code becomes available. European organizations relying on PowerScribe 360 for radiology reporting and image management are especially vulnerable, as the software handles large volumes of sensitive patient data. The impact extends beyond individual organizations to national healthcare systems and public health infrastructure, potentially disrupting critical medical services and data sharing.

1. Immediately restrict network access to the PowerScribe 360 service to trusted internal networks only, using firewalls and network segmentation to limit exposure. 2. Implement strict access control policies and monitor authentication logs for unusual or unauthorized access attempts. 3. Deploy network intrusion detection/prevention systems (IDS/IPS) to identify anomalous traffic patterns indicative of exploitation attempts. 4. Educate clinical and IT staff about the vulnerability and the importance of cautious interaction with the software to minimize user interaction risks. 5. Regularly audit and review user permissions and roles within PowerScribe 360 to ensure least privilege principles are enforced. 6. Coordinate with Microsoft and Nuance for timely receipt and deployment of official patches or updates addressing this vulnerability. 7. Consider temporary isolation of affected systems from external networks until patches are available. 8. Conduct penetration testing and vulnerability scanning focused on PowerScribe 360 deployments to identify potential exploitation vectors. 9. Maintain comprehensive incident response plans tailored to healthcare data breaches to enable rapid containment and remediation if exploitation occurs.