Misconfigured Perforce servers remain widespread, threaten sensitive data exposure

Improperly secured internet-exposed Perforce P4 servers continue to be prevalent, with 72% of 6,122 online instances enabling read-only source code access through a remote user account activated by default, according to SecurityWeek.

At least one account with no password was observed across 21% of public servers, posing a direct read-write access risk, while 4% could be subjected to total system compromise due to an unsecured "superuser" account, a report from Australian security researcher Morgan Robertson showed. Additional findings revealed that nearly 54% of 2,826 servers that remain active at their original IP addresses permit remote user account-based read-only access to source code without any authentication.

Misconfigured Perforce P4 servers were found to have been owned by a North American law enforcement software provider, a North American commercial EV startup, a global industrial automation company, a banking software manufacturer, and other major organizations. Alerts regarding such an exposure have already been provided by Robertson to Perforce and over 60 of the impacted entities.