CVE-2025-30398 is a vulnerability identified in Microsoft Nuance PowerScribe 360 version 4.0.1, a widely used radiology reporting software. The root cause is a missing authorization mechanism (CWE-862), which means the software fails to properly verify whether a user or entity is authorized to access certain information or perform specific actions. This flaw enables an attacker without any privileges (no authentication required) to remotely access and disclose sensitive information over the network, potentially including protected health information (PHI). The CVSS 3.1 base score of 8.1 reflects the high impact on confidentiality and integrity, with no impact on availability. The attack vector is network-based with low attack complexity, but requires some user interaction, such as tricking a user into initiating a connection or action. Although no exploits have been reported in the wild yet, the vulnerability is publicly known and could be targeted by threat actors, especially those interested in healthcare data theft or espionage. The lack of a patch at the time of publication increases the urgency for organizations to implement compensating controls. Given the critical role of PowerScribe in medical imaging workflows, exploitation could lead to unauthorized disclosure of sensitive patient data, undermining trust and violating data protection regulations.

The primary impact of CVE-2025-30398 is the unauthorized disclosure of sensitive medical information, which can severely compromise patient privacy and violate GDPR and other European data protection laws. Healthcare providers relying on Nuance PowerScribe 360 may face reputational damage, regulatory fines, and legal consequences if patient data is exposed. The integrity of radiology reports could also be at risk if attackers manipulate information, potentially leading to misdiagnosis or treatment errors. Since the vulnerability does not affect availability, service disruption is less likely, but the confidentiality breach alone is critical. European organizations are particularly vulnerable due to the widespread use of PowerScribe in hospitals and diagnostic centers. The exposure of PHI could also facilitate further attacks such as identity theft, insurance fraud, or targeted cyber espionage campaigns. The lack of authentication requirement and network accessibility make the attack feasible for remote adversaries, increasing the threat landscape for European healthcare institutions.

1. Monitor Microsoft and Nuance official channels closely for the release of security patches addressing CVE-2025-30398 and apply them immediately upon availability. 2. Until patches are available, implement strict network segmentation to isolate Nuance PowerScribe servers from general network access, limiting exposure to trusted internal users only. 3. Enforce strong access control policies and multi-factor authentication (MFA) for all users accessing the PowerScribe environment to reduce the risk of unauthorized access. 4. Deploy network intrusion detection and prevention systems (IDS/IPS) with signatures or anomaly detection tuned to identify suspicious activities targeting PowerScribe services. 5. Conduct regular security audits and vulnerability assessments focusing on authorization mechanisms within healthcare applications. 6. Educate staff about phishing and social engineering tactics that could trigger the required user interaction for exploitation. 7. Review and tighten firewall rules to restrict inbound and outbound traffic to only necessary ports and IP addresses related to PowerScribe operations. 8. Maintain comprehensive logging and monitoring to detect and respond to any unauthorized access attempts promptly.