Microsoft has identified and responsibly reported four vulnerabilities in the Perforce Helix Core Server, a widely used source code management platform. The flaws were discovered during a security review conducted by Microsoft analysts, who use the product in the company’s game development studios. One of the vulnerabilities, labeled CVE-2023-45849, is deemed critical as it allows unauthenticated attackers to execute code remotely as LocalSystem, a high-privileged Windows OS account. The default configuration of Perforce Server permits unauthenticated attackers to execute arbitrary commands remotely, posing a significant risk of system compromise.
The remaining three vulnerabilities, while less severe, could lead to denial of service attacks, causing operational disruption and potential financial losses, particularly in large-scale deployments. Microsoft has not observed any exploitation attempts in the wild, but the company strongly recommends users upgrade to version 2023.1/2513900, released on November 7, 2023, to address these security issues. Additionally, Microsoft provides a set of protection recommendations, including regular software updates, access restrictions through VPN or IP allow-list, TLS certificates with a proxy for user validation, logging all access to the Perforce Server, setting up crash alerts, and using network segmentation to contain breaches.
The critical vulnerability’s potential to allow attackers to execute arbitrary commands remotely as a highly privileged system account underscores the significance of prompt updates and robust security measures. Following the recommended protection measures can help organizations mitigate the risks associated with these vulnerabilities and enhance the overall security posture of their systems using Perforce Helix Core Server.