Exposed Perforce P4 Servers Leave Source Code Vulnerable to Unauthorized Access
A recent investigation by Australian security researcher Morgan Robertson has uncovered widespread misconfigurations in internet-exposed Perforce P4 servers, exposing sensitive source code to potential breaches. Of the 6,122 publicly accessible instances analyzed, 72% allowed read-only access via a default remote user account, while 21% had at least one account with no password, granting direct read-write permissions.
Even more alarmingly, 4% of servers were vulnerable to full system compromise due to an unsecured "superuser" account. Among the 2,826 servers still active at their original IP addresses, 54% permitted unauthenticated read-only access to source code.
The affected organizations span multiple industries, including a North American law enforcement software provider, a commercial EV startup, a global industrial automation firm, and a banking software manufacturer. Robertson has notified Perforce and over 60 impacted entities about the exposures, though the full scope of potential data leaks remains unclear. The findings highlight persistent risks tied to improperly secured version control systems in enterprise environments.
Perforce TPRM report: https://www.rankiteo.com/company/perforce
"id": "per1776926729",
"linkid": "perforce",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Law Enforcement Software',
'location': 'North America',
'name': 'North American law enforcement software '
'provider',
'type': 'Organization'},
{'industry': 'Automotive/EV',
'name': 'Commercial EV startup',
'type': 'Organization'},
{'industry': 'Industrial Automation',
'location': 'Global',
'name': 'Global industrial automation firm',
'type': 'Organization'},
{'industry': 'Banking Software',
'name': 'Banking software manufacturer',
'type': 'Organization'}],
'attack_vector': 'Internet-exposed servers',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Source code'},
'description': 'A recent investigation by Australian security researcher '
'Morgan Robertson uncovered widespread misconfigurations in '
'internet-exposed Perforce P4 servers, exposing sensitive '
'source code to potential breaches. Of the 6,122 publicly '
'accessible instances analyzed, 72% allowed read-only access '
'via a default remote user account, while 21% had at least one '
'account with no password, granting direct read-write '
'permissions. Even more alarmingly, 4% of servers were '
'vulnerable to full system compromise due to an unsecured '
"'superuser' account. Among the 2,826 servers still active at "
'their original IP addresses, 54% permitted unauthenticated '
'read-only access to source code.',
'impact': {'data_compromised': 'Sensitive source code',
'systems_affected': 'Perforce P4 servers'},
'post_incident_analysis': {'root_causes': 'Misconfigured Perforce P4 servers, '
'default remote user accounts, '
'no-password accounts, unsecured '
"'superuser' accounts"},
'references': [{'source': "Morgan Robertson's investigation"}],
'title': 'Exposed Perforce P4 Servers Leave Source Code Vulnerable to '
'Unauthorized Access',
'type': 'Misconfiguration',
'vulnerability_exploited': 'Default remote user account, no-password '
"accounts, unsecured 'superuser' account"}