Censys: 6 Million Internet-Facing FTP Servers Remain Exposed
Key Takeaways Approximately 6 million internet-facing File Transfer Protocol (FTP) servers remain exposed globally, despite a 40% reduction since 2024. A significant portion of these servers, about...
Key Takeaways
- Approximately 6 million internet-facing File Transfer Protocol (FTP) servers remain exposed globally, despite a 40% reduction since 2024.
- A significant portion of these servers, about 2.45 million, show no evidence of Transport Layer Security (TLS) encryption, risking cleartext transmission of sensitive data.
- The persistence of FTP exposure is largely due to insecure default configurations in popular hosting environments and broadband provider setups, rather than dedicated file transfer infrastructure.
- Regional disparities in TLS adoption are stark, with China and South Korea having the lowest rates, while Japan struggles with widespread use of deprecated TLS versions.
A new report from Censys, published in April 2026 and authored by security researcher Himaja Motheram, reveals that nearly six million internet-facing hosts continue to operate the outdated File Transfer Protocol (FTP).
Table Of Content
While this figure represents a substantial 40% decrease from the 10.1 million servers identified in 2024, the enduring presence of this decades-old protocol continues to present significant security vulnerabilities, primarily due to widespread insecure default configurations.
The Censys analysis underscores that the prevalent issue of FTP exposure in 2026 stems not from purpose-built file transfer systems, but rather from cumulative platform defaults found in shared hosting networks and broadband services.
The State of Encryption and Regional Risks
Securing these numerous FTP servers presents a complex picture. Censys data indicates that approximately 58.9% of observed FTP hosts successfully complete a Transport Layer Security (TLS) handshake, signifying their capability for encrypted connections.

However, this leaves an estimated 2.45 million hosts without any observable encryption, rendering them susceptible to transmitting files and user credentials in cleartext.
The adoption of encryption varies considerably across different geographic regions. Censys data highlights that among the top 10 hosting countries, mainland China and South Korea exhibit the lowest TLS adoption rates, at 17.9% and 14.5% respectively.
Conversely, Japan accounts for a significant 71% of all global FTP servers that still rely on obsolete and deprecated encryption protocols like TLS 1.0 and 1.1.
The overall security posture of these six million servers is largely dictated by the default settings of the underlying software daemons.
Key Technical Observations
- Pure-FTPd Dominance: Pure-FTPd is identified as the most prevalent FTP daemon, running on approximately 1.99 million services. Its widespread use is primarily attributed to its default inclusion in cPanel hosting environments.
- The IIS FTP Configuration Trap: Over 150,000 Microsoft IIS FTP services return a “534” error, indicating that TLS has not been properly configured. Despite IIS defaulting to a policy that seemingly mandates encryption, a fresh installation does not automatically bind a security certificate. This oversight allows the server to accept cleartext credentials, even though the configuration appears to enforce TLS.
- Hidden Nonstandard Ports: Scans limited to the standard port 21 overlook a substantial portion of the attack surface. Tens of thousands of FTP services operate on alternative ports, such as 10397 or 2121, often associated with specific telecom operations or network-attached storage (NAS) devices.
Mitigation and Hardening Strategies

Censys strongly advises enterprise defenders and infrastructure administrators to first assess the genuine necessity of FTP before attempting to harden its security. This recommendation is detailed in their blog post on FTP exposure.
What You Should Do
- Migrate to Secure Alternatives: Whenever feasible, replace FTP with more secure protocols such as SSH File Transfer Protocol (SFTP), which encrypts both credentials and data by default over port 22.
- Enforce Explicit TLS: If retaining legacy FTP infrastructure is unavoidable, administrators must configure their FTP daemons to enforce Explicit TLS (FTPS) and reject all cleartext connections.
- Correct IIS Certificate Bindings: Windows Server administrators managing IIS FTP installations must ensure a valid SSL certificate is properly bound to the FTP site and verify that the SSL policy is actively enforcing encryption.
Ultimately, while the internet’s reliance on FTP is gradually diminishing, millions of instances continue to operate in the background. As Censys warns, the primary threat is not sophisticated zero-day exploits, but rather the straightforward failure to update default configurations, which leaves systems unnecessarily exposed.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.