CVE-2026-26142 – Nuance PowerScribe Remote Code Execution Vulnerability

Nuance PowerScribe is affected by a critical remote code execution vulnerability caused by the deserialization of untrusted data. The flaw allows an unauthenticated attacker to execute arbitrary code over the network without requiring user interaction. Because the vulnerability can be exploited remotely and requires no privileges, successful attacks could provide attackers with full control over affected systems, potentially disrupting healthcare operations and exposing sensitive patient information.

CVSS Score: 9.8
SEVERITY: Critical
THREAT:
This vulnerability enables remote code execution through improper handling of serialized data. An attacker can send specially crafted network data to a vulnerable PowerScribe system and potentially execute arbitrary code. The combination of network accessibility, no authentication requirement, and no user interaction significantly increases the risk of compromise.

EXPLOITS:
Publicly Disclosed: No
Exploited: No
Exploitability Assessment: Exploitation Less Likely
There is currently no indication in the provided data that public exploits, proof-of-concept code, or active exploitation exist. However, deserialization vulnerabilities are commonly targeted because they can often lead directly to remote code execution.

TECHNICAL SUMMARY:
CVE-2026-26142 is a deserialization of untrusted data vulnerability (CWE-502) affecting Nuance PowerScribe products. The application improperly processes serialized data received from remote sources, allowing crafted input to influence application execution. An attacker can leverage this flaw to execute arbitrary code within the context of the affected application. The vulnerability is remotely exploitable over the network, requires no privileges, and does not require user interaction. Successful exploitation could result in complete compromise of confidentiality, integrity, and availability of the affected system.

Affected Microsoft product confirmed from the data:
Nuance PowerScribe

EXPLOITABILITY:
Affected versions include:
Nuance PowerScribe 360 4.0
Nuance PowerScribe 360 versions 4.0.1 through 4.0.9
Nuance PowerScribe One versions 2019.1 through 2019.10
PowerScribe One version 2023.1 SP2 Patch 11
PowerScribe One version 2023.1 SP3 Patch 6
An unauthenticated attacker could exploit the vulnerability remotely by sending specially crafted serialized data to a vulnerable system.

BUSINESS IMPACT:
PowerScribe products are commonly used in healthcare environments where availability and data integrity are critical. A successful compromise could allow attackers to disrupt clinical workflows, access sensitive patient information, deploy ransomware, or establish persistent access within the environment. Systems supporting diagnostic and reporting functions could become unavailable at critical times, creating operational and regulatory risks.

WORKAROUND:
No mitigations or workarounds are listed.
Organizations should apply the vendor-provided security updates as soon as they become available and limit unnecessary network exposure of PowerScribe services where possible.

URGENCY:
This vulnerability warrants rapid patching because it combines remote network access, no authentication requirements, no user interaction, and complete impact to confidentiality, integrity, and availability. With a CVSS v3.1 score of 9.8, the flaw presents a significant risk of full system compromise if targeted by attackers. Healthcare organizations and environments with exposed PowerScribe systems should prioritize deployment of the available fixes.