Millions of FTP Servers Remain Exposed Online in 2026, Raising Security Concerns
In April 2026, a comprehensive analysis by security researcher Himaja Motheram at Censys revealed that nearly 6 million internet-facing hosts continue to operate using the File Transfer Protocol (FTP). This figure represents a significant 40% reduction from the 10.1 million servers identified in 2024. However, the persistent use of this decades-old protocol underscores ongoing security vulnerabilities, primarily due to widespread insecure default configurations.
Persistent Security Risks
Despite the decline in numbers, the continued presence of FTP servers poses substantial security risks. FTP, originally designed without robust security features, often transmits data, including credentials, in cleartext. This lack of encryption makes these servers prime targets for cyber attackers seeking unauthorized access to sensitive information.
Encryption Adoption and Regional Disparities
The Censys report highlights a mixed landscape regarding the adoption of encryption among these servers. Approximately 58.9% of observed FTP hosts have implemented Transport Layer Security (TLS), enabling encrypted connections. However, this leaves about 2.45 million servers without evidence of encryption, potentially exposing data to interception and unauthorized access.
Regional disparities in encryption adoption are notable. Mainland China and South Korea exhibit the lowest TLS adoption rates among the top ten hosting countries, at 17.9% and 14.5%, respectively. Conversely, Japan accounts for 71% of all FTP servers globally that still rely on outdated, deprecated legacy encryption protocols such as TLS 1.0 and 1.1.
Influence of Default Software Configurations
The security posture of these FTP servers is significantly influenced by the default settings of the software daemons running them. Key observations from the Censys report include:
– Prevalence of Pure-FTPd: Operating on approximately 1.99 million services, Pure-FTPd is the most common FTP daemon. Its widespread use is largely driven by its inclusion as a default in cPanel hosting environments.
– IIS FTP Configuration Issues: Over 150,000 Microsoft IIS FTP services return a 534 error response, indicating that TLS was never configured. While IIS defaults to a policy that appears to require encryption, it does not bind a security certificate upon a fresh installation. Consequently, the server accepts cleartext credentials, even though the configuration appears to enforce TLS.
– Nonstandard Port Usage: Relying solely on port 21 scans misses a significant portion of the attack surface. Tens of thousands of FTP services operate on alternate ports, such as 10397 or 2121, often associated with specific telecom operations or network-attached storage devices.
Mitigation and Hardening Strategies
To address these vulnerabilities, Censys strongly recommends that organizations evaluate the necessity of FTP and consider the following mitigation strategies:
– Migrate to Secure Alternatives: Whenever possible, replace FTP with SSH File Transfer Protocol (SFTP), which encrypts credentials and data by default over port 22.
– Enforce Explicit TLS: If legacy FTP infrastructure must remain online, administrators should configure their daemons to enforce Explicit TLS (FTPS) and refuse cleartext connections.
– Fix IIS Certificate Bindings: Windows Server administrators using IIS FTP must ensure that a valid certificate is bound to the FTP site and verify that the SSL policy actively enforces encryption.
Conclusion
While the internet’s reliance on FTP is gradually decreasing, millions of instances continue to operate, often with insecure configurations. The primary risk lies not in advanced zero-day attacks but in the exploitation of these insecure default settings. Organizations must proactively assess their use of FTP, implement secure configurations, and consider transitioning to more secure file transfer protocols to mitigate potential security threats.
