π―Imagine sending a postcard with your personal information on it. That's how FTP worksβit's not secure! Even though fewer people are sending postcards now, there are still millions doing it without any protection. We need to switch to secure envelopes instead!
What Happened
According to a new report from security researcher Himaja Motheram at Censys, approximately 5.94 million internet-facing hosts are still using the File Transfer Protocol (FTP) as of April 2026. This represents a significant 40% decline from the 10.1 million servers identified in 2024. Despite this reduction, the continued reliance on FTP, a protocol that has been deemed insecure for decades, poses significant risks due to widespread insecure default configurations.
Who's Affected
The report indicates that the majority of these FTP servers are located in the United States, with 1.2 million instances. Other countries with significant numbers include China (866,000), Germany (467,000), Hong Kong (415,000), Japan (366,000), and France (343,000). Major hosting and broadband providers, such as China Unicom, Alibaba, OVH, and GoDaddy, contribute heavily to the number of exposed FTP hosts.
What Data Was Exposed
Censys found that a staggering 2.45 million FTP hosts showed no evidence of encryption, meaning they could potentially transmit sensitive files and credentials in cleartext. This lack of encryption is concerning, especially since many of these servers either lack support for encryption or were not properly configured to complete a TLS handshake. The report highlights that while 58.9% of observed FTP hosts completed a TLS handshake, the remaining servers are at risk of data exposure. Notably, of the 2.45 million FTP hosts lacking encryption, 994,000 do not implement AUTH TLS on the scanned port, and more than 170,000 do not support explicit TLS.
Key Technical Observations
- Server Dominance: Pure-FTPd is the most commonly used FTP daemon, operating on approximately 1.99 million services. ProFTPD and vsftpd follow, with 812,000 and 379,000 services, respectively. Microsoft's IIS FTP, which is enabled by default on Windows Server instances, accounts for 259,000 services, with over 150,000 of these services lacking proper encryption configurations.
- IIS FTP Configuration Issues: Over 150,000 Microsoft IIS FTP services return a β534β error response, indicating that TLS was never configured. This is a critical issue as these servers accept cleartext credentials despite appearing to enforce encryption.
- Geographical and Provider Insights: The distribution of FTP servers indicates that many configurations are a byproduct of default settings from commodity hosting and broadband providers. Censys notes that the geography, ASN distribution, and server technology mix all point to this conclusion.
Mitigation and Hardening Strategies
To address these vulnerabilities, Censys recommends that organizations evaluate whether FTP is necessary in their environments. If FTP must remain, organizations should:
- Migrate to Secure Alternatives: Transition to SFTP or FTPS, which provide encrypted file transfer capabilities.
- Enforce Explicit TLS: Configure FTP daemons to enforce Explicit TLS and refuse cleartext connections.
- Fix IIS Certificate Bindings: Ensure that Windows Server administrators bind a valid certificate to the FTP site and verify that the SSL policy enforces encryption.
Ultimately, while the number of FTP servers is declining, the remaining instances continue to pose a significant security risk due to outdated configurations and the lack of encryption. Organizations are encouraged to prioritize the removal of FTP or its replacement with more secure alternatives to mitigate these risks effectively.
The continued prevalence of unencrypted FTP servers highlights a critical gap in cybersecurity practices, especially among organizations using outdated protocols. Transitioning to secure alternatives is essential to mitigate these risks.
