External risk intelligence

Nuance PowerScribe Network Code Execution via Untrusted Data Deserialization.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-26142

A critical vulnerability in Nuance PowerScribe allows unauthorized remote code execution over a network due to untrusted data deserialization. If reachable, this could compromise system integrity and data. Understanding if your organization uses this technology and its network exposure is crucial.

3Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-26142

Nuance PowerScribe is typically deployed within clinical or healthcare internal networks to manage radiology reporting and imaging. While network-based code execution is possible, these systems are generally isolated from the public internet by hospital firewalls and internal security controls, making direct internet-facing exposure uncommon in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-26142

Yes

CVE-2026-26142 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability, a deserialization flaw in Nuance PowerScribe, allows remote code execution and is relevant for PCI scans due to its potential to bypass security controls.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Nuance PowerScribe, a system used for radiology reporting, which could allow unauthorized attackers to execute code remotely over a network. The main concern is to confirm if this technology is in use and if it is exposed in a way that attackers could leverage this weakness.

Remote code execution risk in radiology reporting systems.
Important for confirming system relevance and exposure.
Verify if Nuance PowerScribe is deployed and exposed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data over a network to a vulnerable Nuance PowerScribe system. Because the system deserializes untrusted data, this could allow an unauthenticated attacker to execute arbitrary code on the affected system.

No authentication required.
Untrusted data deserialization.
Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

Nuance PowerScribe, when exposed to a network, could allow an unauthorized attacker to run malicious code. This could impact the integrity and availability of the system and its data.

System code and data integrity.
Remote code execution over network.
Unauthorized system access and control.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Attackers can exploit a deserialization vulnerability in Nuance PowerScribe to execute code over a network. Application owners, in coordination with infrastructure and security teams, should prioritize identifying all PowerScribe instances, assessing their network reachability and criticality, and confirming accountable ownership for remediation planning.

Application owners should lead remediation efforts.
Verify network exposure and business criticality.
Plan remediation with relevant teams.

Frequently asked questions

What is Nuance PowerScribe?

Nuance PowerScribe is a specialized software platform utilized by healthcare organizations to streamline radiology reporting and manage diagnostic imaging workflows. It functions as a central repository and documentation system that allows clinicians to dictate, transcribe, and finalize medical reports, making it a critical component of clinical operations.

What does deserialization of untrusted data mean for CVE-2026-26142?

This vulnerability, classified as CWE-502, occurs when the software takes data from an untrusted source and attempts to reconstruct it into an object without sufficient validation. An attacker can manipulate this data to inject malicious instructions, tricking the application into executing unauthorized code.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending specially crafted, malicious data over the network to the targeted system. The vulnerability does not require the attacker to have valid credentials or user interaction; however, it only executes if the system is configured to process the specific types of untrusted input that the software fails to sanitize.

Is my Nuance PowerScribe instance at risk?

According to Halo Surface Signal, risk depends heavily on network placement. While the bug allows network-based code execution, these systems are typically housed within internal clinical networks protected by firewalls. Instances isolated from the public internet are significantly harder for unauthorized remote attackers to reach compared to those accidentally exposed.

What steps should I take if I use this software?

Begin by identifying all active instances of PowerScribe within your environment. Verify whether these systems are reachable from untrusted network segments. Coordinate with your security and infrastructure teams to document ownership of these assets and develop a plan to apply necessary software updates as they become available.

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26142

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.