Nearly 6 Million FTP Servers Exposed Online in 2026: A Persistent Security Threat
In April 2026, a comprehensive analysis by security researcher Himaja Motheram at Censys revealed that nearly 6 million internet-facing hosts continue to operate using the File Transfer Protocol (FTP). This figure, while representing a 40% decrease from the 10.1 million servers identified in 2024, underscores the enduring security risks associated with this antiquated protocol.
The Persistent Use of FTP
FTP, developed in the early 1970s, was designed for transferring files over networks. Despite its age and the availability of more secure alternatives, FTP remains in use due to its simplicity and widespread adoption in legacy systems. However, its inherent lack of security features, such as encryption, makes it a prime target for cyber threats.
Current Exposure Landscape
The Censys report highlights that the majority of these exposed FTP servers are not part of dedicated file transfer infrastructures. Instead, they are often default configurations found in shared hosting environments and broadband provider networks. This widespread exposure is concerning, as it indicates that many organizations may be unaware of the security implications of running FTP services.
Encryption Adoption and Regional Disparities
When assessing the security measures in place, the report found that approximately 58.9% of the observed FTP hosts support encrypted connections via Transport Layer Security (TLS). This means that around 2.45 million servers are potentially transmitting data, including sensitive credentials, in cleartext.
The adoption of encryption varies significantly across regions:
– Mainland China and South Korea: These countries exhibit the lowest TLS adoption rates among the top 10 hosting nations, at 17.9% and 14.5%, respectively.
– Japan: Notably, Japan accounts for 71% of all FTP servers globally that still rely on outdated encryption protocols, such as TLS 1.0 and 1.1.
Technical Observations and Default Configurations
The security posture of these FTP servers is heavily influenced by the default settings of the software daemons running them. Key findings include:
– Pure-FTPd Prevalence: Operating on approximately 1.99 million services, Pure-FTPd is the most common FTP daemon. Its widespread use is largely due to its inclusion as a default in cPanel hosting environments.
– Microsoft IIS FTP Configuration Issues: Over 150,000 Microsoft IIS FTP services return a 534 error response, indicating that TLS was never configured. While IIS defaults to a policy that appears to require encryption, it does not bind a security certificate upon a fresh installation. Consequently, the server accepts cleartext credentials, even though the configuration appears to enforce TLS.
– Nonstandard Ports Usage: Relying solely on port 21 scans misses a significant portion of the attack surface. Tens of thousands of FTP services operate on alternate ports, such as 10397 or 2121, often associated with specific telecom operations or network-attached storage devices.
Mitigation and Hardening Strategies
For organizations and administrators managing FTP services, it is crucial to evaluate the necessity of maintaining these servers. Recommended mitigation strategies include:
1. Migrate to Secure Alternatives: Whenever possible, replace FTP with the SSH File Transfer Protocol (SFTP), which encrypts credentials and data by default over port 22.
2. Enforce Explicit TLS: If legacy FTP infrastructure must remain operational, configure the daemons to enforce Explicit TLS (FTPS) and refuse cleartext connections.
3. Address IIS Certificate Bindings: Windows Server administrators using IIS FTP should ensure that a valid certificate is bound to the FTP site and verify that the SSL policy actively enforces encryption.
Conclusion
While the internet’s reliance on FTP is gradually decreasing, the presence of nearly 6 million exposed servers in 2026 highlights a significant security concern. Organizations must proactively assess their use of FTP, implement robust security measures, and consider transitioning to more secure file transfer protocols to mitigate potential risks.
