Thousands of Perforce Servers Exposed in Widespread Misconfiguration Crisis
In spring 2025, Australian security researcher Morgan Robertson uncovered a critical security gap in internet-facing Perforce P4 servers, a version control platform widely used in gaming, semiconductor design, and other data-intensive industries. His analysis revealed 6,122 exposed instances, with alarming misconfigurations leaving sensitive data vulnerable to exploitation.
Of the identified servers, 72% allowed unauthenticated read-only access via a default-enabled remote user account, while 21% had at least one account with no password, granting direct read-write access. Even more concerning, 4% exposed an unprotected ‘superuser’ account, enabling full system compromise through command injection. Most servers also permitted user enumeration and exposed server details by default.
By the time Robertson disclosed his findings on Tuesday, 2,826 servers remained active at their original IP addresses. Of these, 54% (1,525 servers) still allowed unauthenticated read-only access, and 17% (501 servers) permitted user enumeration without authentication. Among the affected organizations were AAA and indie game developers, universities, animation studios, crypto projects, and manufacturers, as well as high-profile entities such as:
- A regional defense contractor
- Medical technology providers
- A North American law enforcement software vendor
- An international industrial automation firm
- A North American commercial EV startup
- An Asian retail POS and ERP software vendor
- A banking software maker
Exposed data included client information, internal projects, personal data, credentials, source code, and product schematics. Robertson emphasized that the issue extends beyond public servers many Perforce instances on internal networks are deployed with the same insecure defaults, creating a privilege escalation risk for insider threats or attackers with network access.
Perforce was notified of the findings a year prior and responded by disabling the remote user account by default and updating its documentation to improve security. In a May 2025 blog post, the company acknowledged that while P4 is trusted by security-conscious teams, proper configuration is essential to prevent exposure. Robertson also contacted over 60 affected organizations to warn them of the risks.
The incident underscores the persistent threat of misconfigured enterprise software, even in systems handling highly sensitive intellectual property.
Source: https://www.securityweek.com/unsecured-perforce-servers-expose-sensitive-data-from-major-orgs/
Perforce Software cybersecurity rating report: https://www.rankiteo.com/company/perforce
"id": "PER1776784296",
"linkid": "perforce",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Defense',
'name': 'Regional defense contractor',
'type': 'Defense'},
{'industry': 'Medical Technology',
'name': 'Medical technology providers',
'type': 'Healthcare'},
{'industry': 'Law Enforcement Software',
'location': 'North America',
'name': 'North American law enforcement software '
'vendor',
'type': 'Government'},
{'industry': 'Industrial Automation',
'location': 'International',
'name': 'International industrial automation firm',
'type': 'Manufacturing'},
{'industry': 'Electric Vehicles',
'location': 'North America',
'name': 'North American commercial EV startup',
'type': 'Automotive'},
{'industry': 'Retail Software',
'location': 'Asia',
'name': 'Asian retail POS and ERP software vendor',
'type': 'Retail'},
{'industry': 'Banking Software',
'name': 'Banking software maker',
'type': 'Financial Services'},
{'industry': 'Gaming',
'name': 'AAA and indie game developers',
'type': 'Entertainment'},
{'industry': 'Higher Education',
'name': 'Universities',
'type': 'Education'},
{'industry': 'Animation',
'name': 'Animation studios',
'type': 'Entertainment'},
{'industry': 'Cryptocurrency',
'name': 'Crypto projects',
'type': 'Financial Services'},
{'industry': 'Manufacturing',
'name': 'Manufacturers',
'type': 'Manufacturing'}],
'attack_vector': 'Exposed internet-facing servers with default/insecure '
'configurations',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (intellectual property, personal '
'data, credentials)',
'type_of_data_compromised': ['Client information',
'Internal projects',
'Personal data',
'Credentials',
'Source code',
'Product schematics']},
'date_detected': '2025-03-01',
'date_publicly_disclosed': '2025-05-01',
'description': 'Australian security researcher Morgan Robertson uncovered a '
'critical security gap in internet-facing Perforce P4 servers, '
'a version control platform widely used in gaming, '
'semiconductor design, and other data-intensive industries. '
'The analysis revealed 6,122 exposed instances with '
'misconfigurations leaving sensitive data vulnerable to '
'exploitation. By the time of disclosure, 2,826 servers '
'remained active, with many still allowing unauthenticated '
'access or user enumeration.',
'impact': {'brand_reputation_impact': 'Potential damage to brand reputation '
'due to exposure of sensitive data',
'data_compromised': 'Client information, internal projects, '
'personal data, credentials, source code, '
'product schematics',
'identity_theft_risk': 'High (due to exposure of personal data and '
'credentials)',
'operational_impact': 'Potential unauthorized access to sensitive '
'intellectual property and internal systems',
'systems_affected': '6,122 exposed Perforce P4 servers (2,826 '
'still active at disclosure)'},
'investigation_status': 'Ongoing (as of disclosure)',
'lessons_learned': 'The incident highlights the persistent threat of '
'misconfigured enterprise software, even in systems '
'handling highly sensitive intellectual property. Proper '
'configuration and hardening of default settings are '
'critical to preventing exposure.',
'post_incident_analysis': {'corrective_actions': 'Perforce disabled the '
'remote user account by '
'default and updated '
'documentation to emphasize '
'secure configuration. '
'Affected organizations were '
'advised to review and '
'harden their deployments.',
'root_causes': 'Default-enabled remote user '
'accounts, unprotected superuser '
'accounts, lack of password '
'protection, and user enumeration '
'enabled by default.'},
'recommendations': ['Disable default remote user accounts or enforce strong '
'authentication.',
'Implement network segmentation to limit exposure of '
'internal Perforce instances.',
'Regularly audit and monitor Perforce server '
'configurations for insecure defaults.',
'Enforce least-privilege access and disable user '
'enumeration where possible.',
'Educate teams on secure deployment practices for version '
'control systems.'],
'references': [{'date_accessed': '2025-05-01',
'source': "Morgan Robertson's disclosure"},
{'date_accessed': '2025-05-01',
'source': 'Perforce blog post (May 2025)'}],
'response': {'communication_strategy': 'Perforce published a blog post in May '
'2025 acknowledging the issue and '
'emphasizing proper configuration.',
'containment_measures': 'Perforce disabled the remote user '
'account by default and updated '
'documentation to improve security.',
'remediation_measures': 'Affected organizations were contacted '
'to warn them of the risks; Perforce '
'implemented configuration changes to '
'mitigate exposure.'},
'stakeholder_advisories': 'Perforce acknowledged the issue and updated '
'documentation to improve security. Affected '
'organizations were contacted to warn them of the '
'risks.',
'title': 'Thousands of Perforce Servers Exposed in Widespread '
'Misconfiguration Crisis',
'type': 'Misconfiguration',
'vulnerability_exploited': 'Default-enabled remote user account, unprotected '
'superuser accounts, user enumeration, and lack of '
'password protection'}