A researcher has analyzed internet-facing Perforce P4 servers and found that many are still misconfigured, exposing highly sensitive information.
Perforce P4 (formerly Helix Core) is a centralized version control platform built to handle the massive data requirements of industries like AAA gaming and semiconductor design. While P4 serves an important role, it can be valuable for threat actors if left unprotected.
Australian security researcher Morgan Robertson conducted an analysis of internet-exposed Perforce servers in the spring of 2025 and found 6,122 instances.
Of these servers, 72% provided unauthenticated read-only access to source code via a remote user account that had been enabled by default. In addition, 21% of the instances had at least one account with no password set, enabling direct read-write access.
Robertson also found at the time that 4% of servers had an unprotected ‘superuser’ account, enabling complete system compromise via command injection.
The researcher also discovered that a vast majority of the systems allowed user enumeration and exposed server information by default.
Robertson said some of the unprotected systems belonged to AAA and indie game developers, universities, animation studios, interactive media firms, crypto projects, and manufacturers.
The researcher made his findings public on Tuesday, telling SecurityWeek that of the 6,122 public servers initially discovered, 2,826 are still active at their original IP addresses.
Of these, 1,525, representing roughly 54%, still allow unauthenticated read-only access to source code via a remote user account. In addition, 501 instances, or 17% of the active servers, still allow completely unauthenticated user enumeration.
Robertson told SecurityWeek that some of the affected servers appear to belong to major organizations, including a regional defense contractor, several medical technology providers, a North American law enforcement software vendor, an international industrial automation firm, a North American commercial EV startup, an Asian retail POS and ERP software vendor, and a banking software maker.
The servers associated with these companies exposed highly sensitive information, including client information, internal projects, personal information, credentials, source code, and product schematics.
The researcher noted that the numbers he shared reflect only publicly exposed infrastructure.
“A significant number of Perforce servers sit strictly on internal networks but are deployed with the exact same insecure defaults,” Robertson explained. “This means any bad actor, insider threat, or red team that gains a foothold on a corporate network likely has a direct path to access critical IP or escalate privileges via these systems.”
Perforce was notified of the findings roughly one year ago and quickly took action, disabling the remote user by default and updating its documentation to enhance security.
“P4 is trusted by some of the world’s most security-conscious teams to manage and safeguard their most valuable IP: source code and binary assets. However, like any advanced system, its effectiveness relies heavily on proper configuration and maintenance,” Perforce said in a May 2025 blog post.
It added, “Any server left in a permissive state can create lapses in security hygiene over time, and lead to significant risks. And like any server connected to the internet, you should assume your P4 server will eventually be tested by an attacker.”
In addition to notifying Perforce, Robertson has reached out to more than 60 of the affected organizations to warn them about the exposure.
Related: Cursor AI Vulnerability Exposed Developer Devices
Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities
