Over 1,500 Perforce Servers Still Expose Sensitive Source Code and Critical Data to Attackers
scsecApril 26, 20262 Mins read 
Thousands of internet-facing Perforce P4 servers are still exposing sensitive data due to poor security configurations, despite earlier warnings and improvements.
Perforce P4 (also known as Helix Core) is a centralized version control system widely used in industries such as game development, semiconductor design, and large-scale software engineering. Because it stores critical assets like source code and project data, unsecured instances can become highly valuable targets for cyber attackers.
In spring 2025, Australian security researcher Morgan Robertson scanned the internet and identified 6,122 publicly accessible Perforce servers. His findings revealed widespread security issues. Around 72% of these servers allowed unauthenticated users to access source code in read-only mode through a default remote user account. Additionally, 21% had at least one account without a password, allowing attackers to gain full read and write access.
More severe risks were also discovered. About 4% of servers had an exposed superuser account, which could allow complete system takeover through command injection. Many systems also enabled user enumeration and exposed server details by default, making them easier to target.
Robertson noted that affected servers belonged to a wide range of organizations, including major game studios, universities, animation companies, manufacturers, and crypto-related projects.
A year later, the situation has improved but remains concerning. Of the original 6,122 servers, 2,826 are still active at the same IP addresses. Among these, 1,525 servers (approximately 54%) still allow unauthenticated read-only access to source code. Additionally, 501 servers (17%) continue to permit unauthenticated user enumeration.
Some of the exposed systems appear to belong to major organizations, including defense contractors, medical technology companies, law enforcement software vendors, industrial automation firms, electric vehicle startups, retail software providers, and banking software companies.
The data exposed on these servers includes highly sensitive information such as client records, internal projects, personal data, login credentials, source code, and product designs.
Robertson emphasized that these findings only reflect publicly exposed systems. Many Perforce servers operate within internal networks but may still use the same insecure default configurations. This means that attackers who gain initial access to a corporate network could easily exploit these systems to access valuable intellectual property or escalate privileges.
Perforce was informed of these issues about a year ago and responded by improving security. The company disabled the default remote user and updated its documentation to encourage better security practices.
Perforce stated that while its platform is trusted by security-conscious organizations, its effectiveness depends on proper setup and ongoing maintenance. Any server left with weak or permissive settings can create serious security risks, especially when exposed to the internet.
In addition to notifying Perforce, Robertson has contacted more than 60 affected organizations to alert them about the vulnerabilities and encourage remediation.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
BlackBerry Report: Governments Rely on WhatsApp Despite Widespread Misunderstanding of Messaging Security
A new report from BlackBerry Secure Communications highlights widespread confusion among government...
UK Opens Formal Investigation Into Telegram Over CSAM and Child Safety Compliance Concerns
The United Kingdom’s communications regulator, Ofcom, has launched a formal investigation into...
NGate Malware Hijacks NFC Payments on Android to Steal Card Data
A newly discovered variant of the NGate Android malware is targeting users...
Global Crackdown Shuts Down DDoS-for-Hire Empire, Exposing Millions of Cybercriminals
Operation PowerOFF Dismantles Major DDoS-for-Hire Network An international law enforcement operation, known...
This research highlights a serious and ongoing issue with insecure default configurations in enterprise tools like Perforce P4. The fact that a large number of servers still allow unauthenticated access to source code and sensitive data is concerning, especially when these systems are used by major organizations. It reinforces the importance of proper configuration management, least-privilege access, and regular security audits to prevent exposure of critical intellectual property.