Unsecured Perforce Servers Expose Sensitive Data From Major Organizations

What happened

Security researcher Morgan Robertson conducted an analysis of internet-exposed Perforce P4 servers in spring 2025, finding 6,122 publicly accessible instances with significant misconfigurations. Of those, 72% provided unauthenticated read-only access to source code via a remote user account enabled by default, 21% had at least one account with no password set enabling direct read-write access, and 4% had an unprotected superuser account allowing complete system compromise via command injection.

Robertson published his findings on April 21, 2026, noting that of the original 6,122 servers, 2,826 remain active at their original IP addresses. Of those still active, 1,525 — roughly 54% — still allow unauthenticated read-only access, and 501 still permit fully unauthenticated user enumeration. The affected servers appear to belong to organizations across multiple sensitive sectors, including a regional defense contractor, several medical technology providers, a North American law enforcement software vendor, an international industrial automation firm, a North American commercial EV startup, an Asian retail POS and ERP software vendor, and a banking software maker. Exposed data includes client information, internal projects, personal information, credentials, source code, and product schematics.

Perforce was notified roughly a year ago and responded by disabling the remote user account by default and updating its documentation. Robertson has also directly contacted more than 60 affected organizations. He noted that the numbers reflect only publicly exposed servers, and that many Perforce deployments on internal networks are configured with the same insecure defaults, meaning any attacker who gains a network foothold likely has a direct path to critical intellectual property or privilege escalation.

Who is affected

Organizations across gaming, defense contracting, medical technology, law enforcement software, industrial automation, fintech, and retail POS development have been identified among the exposed servers. The exposure is not limited to public-facing deployments. Internal Perforce instances with identical default configurations represent an equal or greater risk to organizations that believe their version control systems are protected by network perimeter controls alone.

Why CISOs should care

Source code repositories are among the highest-value targets in any organization’s environment. Unauthenticated read access to a Perforce server means an attacker can silently exfiltrate intellectual property, map internal systems, harvest embedded credentials, and identify vulnerabilities in proprietary software without triggering most standard detection tools. The presence of unprotected superuser accounts in 4% of the original sample means that for a meaningful subset of these organizations, the exposure goes well beyond read access to full system compromise.

The fact that over half of the originally identified vulnerable servers remain exposed a year after the researcher notified Perforce is the part worth sitting with.

3 practical actions

1. Audit all Perforce P4 instances for default remote user accounts and passwordless accounts: Check both internet-facing and internal deployments for the insecure defaults identified in this research, specifically the enabled remote user account and any accounts with no password set, and remediate immediately.
2. Apply Perforce’s updated security guidance and disable legacy defaults: Perforce has updated its documentation and changed the default configuration to disable the remote user account. Organizations running older deployments should apply these changes and validate their configuration against current security recommendations.
3. Treat version control systems as critical infrastructure in your security program: Source code repositories, internal or external, warrant the same access control rigor, monitoring, and audit logging as any other system holding sensitive IP. Unauthenticated access to these systems should trigger an immediate incident response, not a routine remediation ticket.

Also in the news today:

• Dozens of Malicious Crypto Apps Land in Apple App Store
• Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
• New Lotus Data Wiper Used Against Venezuelan Energy and Utility Firms
• Italian Regulator Fines National Postal Service Organizations $15 Million for Data Privacy Violations
• NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
• Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023