Still Using FTP? 6 Million Exposed Servers Remain Security Risk
A recent security brief from internet intelligence firm Censys reveals that despite its 55-year history, the File Transfer Protocol (FTP) continues to run on nearly 6 million internet-facing servers worldwide. The dominant story isn’t purpose-built file transfer infrastructure, but a dangerous accumulation of platform defaults exposing critical data.
The Current State of FTP Exposure
Though the total number of exposed FTP hosts dropped by 40% from 10.1 million in 2024 to 5.94 million in April 2026, this legacy footprint remains alarmingly large. These servers are primarily concentrated in shared hosting networks and broadband providers, with the United States leading globally at over 1.2 million exposed hosts. China, Germany, Hong Kong, and Japan collectively account for more than half of the global total.

Encryption analysis reveals a mixed security landscape:
-
- 58.9% of FTP hosts successfully complete TLS handshakes, with 97% using modern protocols (TLSv1.2/1.3)
- 2.35 million hosts show no evidence of encryption, transmitting credentials/files in cleartext
Mainland China and South Korea report the lowest TLS adoption rates

Protocol Clarification:
- FTP: Transmits everything in cleartext (insecure)
- FTPS: Adds TLS encryption to FTP (intermediate security)
- SFTP: SSH-based protocol with full encryption of all data/credentials (recommended alternative)
- TFTP: Unauthenticated protocol (never expose to internet)
Default Configurations and Technical Risks
Censys research reveals that software defaults drive much of the risk:
- Pure-FTPd: Most common (cPanel default)
- vsftpd: Prevalent with 1,744 hosts running the backdoored 2011 version
- Microsoft IIS FTP: Critical flaw detected: 150,000+ services return error code 534 while silently accepting cleartext credentials
The IIS vulnerability occurs when the default “SSL required” policy lacks a bound certificate. Administrators falsely believe they’re secure while credentials transmit in plaintext.
Recommended Mitigations
- Evaluate necessity: Disable FTP entirely if it appears in your asset inventory
- Migrate to SFTP: Uses SSH encryption by default without complex firewall rules
- Secure IIS deployments: Verify valid certificates bound to sites with enforced TLS policies
Organizations must rethink legacy file transfer infrastructure, prioritizing SFTP or modern SaaS solutions to prevent credential theft and data breaches.