Exposed Perforce P4 Servers Leave Source Code Vulnerable to Unauthorized Access A recent investigation by Australian security researcher Morgan Robertson has uncovered widespread misconfigurations in internet-exposed Perforce P4 servers, exposing sensitive source code to potential breaches. Of the 6,122 publicly accessible instances analyzed, 72% allowed read-only access via a default remote user account, while 21% had at least one account with no password, granting direct read-write permissions. Even more alarmingly, 4% of servers were vulnerable to full system compromise due to an unsecured "superuser" account. Among the 2,826 servers still active at their original IP addresses, 54% permitted unauthenticated read-only access to source code. The affected organizations span multiple industries, including a North American law enforcement software provider, a commercial EV startup, a global industrial automation firm, and a banking software manufacturer. Robertson has notified Perforce and over 60 impacted entities about the exposures, though the full scope of potential data leaks remains unclear. The findings highlight persistent risks tied to improperly secured version control systems in enterprise environments.

Thousands of Perforce Servers Exposed in Widespread Misconfiguration Crisis In spring 2025, Australian security researcher Morgan Robertson uncovered a critical security gap in internet-facing Perforce P4 servers, a version control platform widely used in gaming, semiconductor design, and other data-intensive industries. His analysis revealed 6,122 exposed instances, with alarming misconfigurations leaving sensitive data vulnerable to exploitation. Of the identified servers, 72% allowed unauthenticated read-only access via a default-enabled remote user account, while 21% had at least one account with no password, granting direct read-write access. Even more concerning, 4% exposed an unprotected ‘superuser’ account, enabling full system compromise through command injection. Most servers also permitted user enumeration and exposed server details by default. By the time Robertson disclosed his findings on Tuesday, 2,826 servers remained active at their original IP addresses. Of these, 54% (1,525 servers) still allowed unauthenticated read-only access, and 17% (501 servers) permitted user enumeration without authentication. Among the affected organizations were AAA and indie game developers, universities, animation studios, crypto projects, and manufacturers, as well as high-profile entities such as: - A regional defense contractor - Medical technology providers - A North American law enforcement software vendor - An international industrial automation firm - A North American commercial EV startup - An Asian retail POS and ERP software vendor - A banking software maker Exposed data included client information, internal projects, personal data, credentials, source code, and product schematics. Robertson emphasized that the issue extends beyond public servers many Perforce instances on internal networks are deployed with the same insecure defaults, creating a privilege escalation risk for insider threats or attackers with network access. Perforce was notified of the findings a year prior and responded by disabling the remote user account by default and updating its documentation to improve security. In a May 2025 blog post, the company acknowledged that while P4 is trusted by security-conscious teams, proper configuration is essential to prevent exposure. Robertson also contacted over 60 affected organizations to warn them of the risks. The incident underscores the persistent threat of misconfigured enterprise software, even in systems handling highly sensitive intellectual property.