惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
L
Lohrmann on Cybersecurity
aimingoo的专栏
aimingoo的专栏
V
V2EX
S
Security Affairs
T
Threatpost
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
J
Java Code Geeks
The Register - Security
The Register - Security
U
Unit 42
C
CERT Recently Published Vulnerability Notes
月光博客
月光博客
A
About on SuperTechFans
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
The Blog of Author Tim Ferriss
Cisco Talos Blog
Cisco Talos Blog
Project Zero
Project Zero
S
Schneier on Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
D
DataBreaches.Net
博客园 - 司徒正美
V
Vulnerabilities – Threatpost
T
Tor Project blog
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
小众软件
小众软件
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
P
Palo Alto Networks Blog
A
Arctic Wolf
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
L
LINUX DO - 最新话题
MongoDB | Blog
MongoDB | Blog
Webroot Blog
Webroot Blog
H
Hacker News: Front Page
Know Your Adversary
Know Your Adversary
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
Engineering at Meta
Engineering at Meta

Blog

AI Bot Traffic: Which Bots to Allow or Block | Imperva API Security Tools: What Each One Protects | Imperva CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised | Imperva On-Premises API Security on Kubernetes | Imperva AI Security Assistant for Faster Investigations | Imperva Best WAAP Solutions 2026: Enterprise Buyer Guide | Imperva Compromise OpenClaw with Prompt Injections in Message Objects The Clock Is Already Ticking: Why Post-Quantum Cryptography Can’t Wait Imperva Customers Protected Against CVE-2026-49975 (HTTP/2 Bomb) DoS Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento Real-Time Webhook Notifications: No More Lost Security Alerts Imperva Customers Protected Against CVE-2026-9082 in Drupal Core Dify: When Your AI Platform Becomes the Attack Surface CVE-2026-42945: Imperva Customers Protected Against Critical NGINX Rewrite Module Vulnerability Using Bedrock with Claude Code? Your AWS Credentials Are Shared With Every Subprocess Why AI Agents Make API Security a CISO Priority CVE-2026-23870: Imperva Customers Protected Against Critical React Server Components DoS Vulnerability | Imperva Your Redis Server Looks Fine. That’s the Problem. | Imperva API Security Operations: From Visibility to Risk Reduction | Imperva Imperva Customers Protected Against CVE-2026-41940 in cPanel & WHM Bad Bot Report 2026: The Internet Is No Longer Human and It’s Changing How Business Works Why PoP Count Isn’t the Real Measure of Application Security Performance Hacking Safari with GPT 5.4 Enterprise-Grade Application Security, Cloud-Native Speed: Introducing Imperva for Google Cloud Anthropic Mythos: Separating Signal from Hype Cloud Based WAF Upload Scan and Control: The New Standard for File Upload Security
Code Injection in Perforce Helix Core (CVE-2026-6902) | Imperva
Yohann Sillam · 2026-07-02 · via Blog

Code Injection in Perforce Helix Core (CVE-2026-6902)

Executive Summary 

In this article, we disclose our latest findings we made on Perforce protocol P4 (Helix Core) between command line client and server, and reveal how a threat actor could leverage it to conduct attacks. 

This security issue affects P4 (Helix Core)  before P4 (Helix Core) 2025.2 Patch 2, was patched and was attributed a CVSS score of 7.7 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L). See our recommendation section and the Perforce advisory for more information. 

Perforce Helix Client  

Perforce Helix Client is a version control system often used for large projects and teams that work with many files or large assets. 

While Git and SVN are great for many projects, Perforce shines in environments with massive codebases or large binary files, like game development or VFX. It handles millions of files efficiently, lets teams lock files to prevent merge conflicts on non-text assets, and supports partial checkouts so developers don’t need the entire repository locally. 

Architecture 

Perforce operates on a centralized client-server architecture model, where the command-line client (p4) communicates directly with a centralized Perforce server responsible for managing the repository, metadata, and access controls. This communication can be established through Perforce’s native protocol (default port 1666) or wrapped into HTTPS to ensure encrypted data transmission.  

perforce1

Fig. 1: Basic single server architecture  

  • p4 info: typically one of the first commands executed to verify server connectivity and retrieve essential information, including server version, root directory…  
  • The p4 client command creates and manages workspace specifications, defining the local root directory, depot paths, and the client view mapping that determines file accessibility.
  • The p4 login command establishes authenticated sessions with the server, generating temporary tickets that allow subsequent commands to execute without re-entering credentials.
  • The p4 sync, add, submit, revert … commands enable developers to manage the lifecycle of files in their workspace (synchronization, modification, addition, submission, and undoing changes). 

Eventually, whenever the P4CONFIG variable is set (usually .p4config), the client automatically loads configuration variables such as P4USER, P4PORT, P4CLIENT and P4PASSWD from the designated config file discovered in the current directory or home directory. This hierarchical configuration resolution applies within the scope of P4CLIENTPATH, allowing workspace-specific configurations to override global system settings. 

Details 

The Perforce client-server communication relies on a custom binary protocol, in which each message carries a set of parameters and a handler name designating the operation to be executed by the receiver. Multiple messages can be chained within a single exchange. 

perforce2

Fig. 2: Extract from a clear traffic dump of a p4 info request 

This communication can be secured by SSL while the fingerprint of the server is added into a trust local file located at P4TRUST (itself defined in the p4 config file). 

During our investigation, we recorded the server traffic of several sensitive responses (triggering SSO response, writing files with arbitrary content to arbitrary location, etc. ) and observed that no validation of server response exists in the client side: 

  1. No expiration timeout exists, as our recorded responses could work even days after they were generated. 
  2. No session id is used during a connection. Therefore, we recorded the traffic between our client and server; and used the exact same response bytes in the dockerized POC that we shared with Perforce security team.  
  3. The client doesn’t verify if the server response matches the request it initiated. 

Beyond the risk of replay attacks, the last point makes the following scenario possible:  

  1. A threat actor shares the details of an unknown server to the victim. 
  2. Upon initial connection to the server, it immediately responds with an instruction to write a malicious line into a configuration file ( ~/.p4enviro or .p4config for instance). The expression, P4LOGINSSO=<malicious shell command>, will be executed by any new p4 command. 

Indeed, the P4LOGINSSO environment variable is designed for SSO integrations: when set, the p4 client executes its value as a shell command to obtain authentication credentials.  

perforce3

Fig. 3: Illustration of the first attack scenario 

Another scenario we presented was the following: 

  • A threat actor shares a project including a hidden .p4config file with specially crafted P4PORT and P4LOGINSSO variables. 
  • The victim executes any legitimate p4 command. 
  • This command is sent to the malicious server defined in P4PORT that returns a “client-sso” instruction, immediately executed on the client side. 

perforce4

Fig. 4: Illustration of the second scenario 

Post Exploitation 

Once exploited, this flaw enables attackers to achieve arbitrary code execution under the victim’s user account: the same context in which the p4 command runs.  

This grants full local control, allowing theft of sensitive data (e.g., source code, intellectual property, credentials), modification of files or configurations for persistence or further compromise, and disruption of workflows through file deletion or system resource exhaustion.  

In environments handling high-value assets, such as game development studios, VFX pipelines, or large-scale software projects, the business impact can be substantial, including IP loss, production delays, and potential downstream effects on team collaboration or supply chain integrity. 

Mitigation 

Following the reception of our report, Perforce security team requested an embargo until the release of v2026.1 (May 2026) to give them time to patch this issue.  

The fix introduced a built-in protection in the client that prevents syncing or submitting files matching Perforce configuration file names (.p4enviro, .p4config, etc.), regardless of workspace settings. The P4_SYSTEMIGNORE variable can be used to extend this list. However, this does not address the lack of binding between client requests and server responses, nor the absence of a replay timeout or session id. 

Recommendations  

Update your system to the latest available version. 

Organizations using Perforce command line client should treat this issue seriously and adopt the following guidelines: 

  • Prevent exchange of configuration files from unvetted sources. 
  • Educate users on the dangers of connecting to unknown or shared Perforce endpoints and encourage verification of server authenticity before executing any commands. 
  • Enforce encrypted connections to reduce exposure to man in the middle attacks. 
  • Monitor for unusual p4 activity, including unexpected server connections or configuration sourcing. 

Conclusion 

This vulnerability in the Perforce Helix Client highlights how widely used version control systems can contain overlooked risks in their core client-server communication, assumptions that the server is always trustworthy or responses are inherently safe. 

In environments with massive, distributed asset pipelines, such protocol-level gaps can quietly expose teams to compromise through everyday interactions like querying server info or loading shared configurations. 

As development tools evolve toward greater automation, integration, and reliance on external or unvetted endpoints, these subtle trust boundaries deserve renewed scrutiny. This finding is a reminder that supply chain attacks do not require compromising a central registry: embedding a malicious configuration file in a shared project artifact could be sufficient to achieve code execution across an entire team. 

Timeline 

October 20 2025 – Disclosure sent to Perforce security team.

October 21 2025 – Report acknowledged by the Perforce security team.

March 9 2026 – Patch released for 2025.2 and backported to prior supported versions. 

May 18 2026 – Release of 2026.1 and publication of the security advisory 

Try Imperva for Free

Protect your business for 30 days on Imperva.

Start Now