An investigation into Perforce P4 servers by a security expert has revealed numerous instances of misconfiguration, leading to potential data breaches. These servers, crucial for large-scale industries like AAA gaming and semiconductor design, present significant risks when improperly secured.
Research Unveils Security Weaknesses
In the spring of 2025, Australian security researcher Morgan Robertson conducted an analysis that identified 6,122 Perforce servers accessible via the internet. Alarmingly, 72% of these servers allowed unauthenticated read-only access to source code, a vulnerability created by a default-enabled remote user account. Additionally, 21% of the instances had accounts with no password, allowing direct read-write access.
Particularly concerning was Robertson’s discovery that 4% of these servers had an unprotected ‘superuser’ account, which could lead to complete system takeover through command injection. The research also pointed out that most servers inadvertently exposed user enumeration and server information.
Vulnerable Organizations at Risk
The unprotected servers were traced back to a diverse range of organizations, including AAA and indie game developers, universities, and manufacturers. Affected sectors also included interactive media firms, crypto projects, and more. Notably, some servers belonged to major entities such as a regional defense contractor and several medical technology providers.
These servers contained sensitive information like client data, internal projects, and product schematics. Robertson emphasized that these figures only represent publicly exposed infrastructure, noting that many internal networks might share similar vulnerabilities.
Perforce’s Response and Mitigation Efforts
Upon being informed of these vulnerabilities last year, Perforce responded swiftly by disabling the default remote user and updating their security documentation. The company highlighted the importance of proper configuration and maintenance to ensure the security of their system, which is trusted by numerous high-security organizations.
Perforce acknowledged that any server left in a permissive state could create security risks over time, stressing the need for proactive protection against potential attackers.
In addition to notifying Perforce, Robertson reached out to over 60 affected organizations to alert them to these exposures, underscoring the critical need for immediate action to secure their data.
Related: Vulnerabilities in Cisco, Kentico, Zimbra Exploited
