A SecurityWeek report details that researchers analysed internet-facing Perforce P4 servers and found 6,122 instances in spring 2025, with 2,826 still active at their original IP addresses as of the findings being shared. Of the active servers, 1,525 (about 54%) still allowed unauthenticated read-only access to source code via a remote user account enabled by default, while 501 instances (17%) permitted completely unauthenticated user enumeration.
The analysis also uncovered that 4% of servers had an unprotected ‘superuser’ account, potentially enabling full system compromise via command injection, and that many systems allowed user enumeration and exposed server information by default.
Robertson noted some affected servers belonged to major organisations across sectors including defence, medical technology, law enforcement software, industrial automation, automotive, retail, and banking software, with the servers exposing highly sensitive data such as client information, internal projects, personal data, credentials, source code, and product schematics.
Perforce has since disabled the remote user by default and updated its documentation in a May 2025 blog post, while Robertson has contacted over 60 organisations about the exposure. The numbers reflect only publicly exposed infrastructure and do not account for systems on internal networks.