ZOEuNRIyJHuOnW R u uP cUgm

Still Using FTP? 6 Million Exposed Servers Remain Security Risk

A recent security brief from internet intelligence firm Censys reveals that despite its 55-year history, the File Transfer Protocol (FTP) continues to run on nearly 6 million internet-facing servers worldwide. The dominant story isn’t purpose-built file transfer infrastructure, but a dangerous accumulation of platform defaults exposing critical data.

The Current State of FTP Exposure

Though the total number of exposed FTP hosts dropped by 40% from 10.1 million in 2024 to 5.94 million in April 2026, this legacy footprint remains alarmingly large. These servers are primarily concentrated in shared hosting networks and broadband providers, with the United States leading globally at over 1.2 million exposed hosts. China, Germany, Hong Kong, and Japan collectively account for more than half of the global total.

Censys researchers found that poorly configured TLS policies expose cleartext credentials
Censys researchers found that poorly configured TLS policies expose cleartext credentials

Encryption analysis reveals a mixed security landscape:

    • 58.9% of FTP hosts successfully complete TLS handshakes, with 97% using modern protocols (TLSv1.2/1.3)
    • 2.35 million hosts show no evidence of encryption, transmitting credentials/files in cleartext

Mainland China and South Korea report the lowest TLS adoption rates

Global distribution of unencrypted FTP services
Global distribution of unencrypted FTP services

Protocol Clarification:

  • FTP: Transmits everything in cleartext (insecure)
  • FTPS: Adds TLS encryption to FTP (intermediate security)
  • SFTP: SSH-based protocol with full encryption of all data/credentials (recommended alternative)
  • TFTP: Unauthenticated protocol (never expose to internet)

Default Configurations and Technical Risks

Censys research reveals that software defaults drive much of the risk:

  • Pure-FTPd: Most common (cPanel default)
  • vsftpd: Prevalent with 1,744 hosts running the backdoored 2011 version
  • Microsoft IIS FTP: Critical flaw detected: 150,000+ services return error code 534 while silently accepting cleartext credentials

The IIS vulnerability occurs when the default “SSL required” policy lacks a bound certificate. Administrators falsely believe they’re secure while credentials transmit in plaintext.

  • Evaluate necessity: Disable FTP entirely if it appears in your asset inventory
  • Migrate to SFTP: Uses SSH encryption by default without complex firewall rules
  • Secure IIS deployments: Verify valid certificates bound to sites with enforced TLS policies

Organizations must rethink legacy file transfer infrastructure, prioritizing SFTP or modern SaaS solutions to prevent credential theft and data breaches.

Related Articles

Back to top button