CVE-2025-30398 · Nuance PowerScribe 360 Information Disclosure Vulnerability

Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network.

According to the CVSS metric, user interaction is required (UI:R) and privileges required are none (PR:N). What does that mean for this vulnerability? An unauthorized attacker must wait for a user to initiate a connection.

How could an attacker exploit this vulnerability? An unauthenticated attacker could exploit this vulnerability by making an API call to a specific endpoint. The attacker could then use the data to gain access to sensitive information on the server.

Why is a login required to view the Release Notes for the products listed in the Security Updates table? Only Nuance customers have access to the release notes via their customer account.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), but could lead to no loss of availability (A:N). What does that mean for this vulnerability? Exploiting this vulnerability could allow an attacker to view highly sensitive user information and modify data, but they cannot affect the availability of the service.

How do I get the update for my version of PowerScribe? Customers using any of the affected versions of PowerScribe listed in the Security Updates table can contact your Customer Success Manager (CSM) or Technical Support at (800) 833-7776 to request an update.

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is PowerScribe configuration settings.