Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
July 9, 2026
Microsoft Uses AI Scanning to Discover Vulnerabilities Pre-Exploit
July 9, 2026
AI-Powered Attack Breaches AWS Cloud Environment in 72 Hours
July 9, 2026
Home/CyberSecurity News/Censys: 6 Million Internet-Facing FTP Servers Remain Exposed
CyberSecurity News

Censys: 6 Million Internet-Facing FTP Servers Remain Exposed

Key Takeaways Approximately 6 million internet-facing File Transfer Protocol (FTP) servers remain exposed globally, despite a 40% reduction since 2024. A significant portion of these servers, about...

Emy Elsamnoudy
Emy Elsamnoudy
April 18, 2026 3 Min Read
45 0

Key Takeaways

  • Approximately 6 million internet-facing File Transfer Protocol (FTP) servers remain exposed globally, despite a 40% reduction since 2024.
  • A significant portion of these servers, about 2.45 million, show no evidence of Transport Layer Security (TLS) encryption, risking cleartext transmission of sensitive data.
  • The persistence of FTP exposure is largely due to insecure default configurations in popular hosting environments and broadband provider setups, rather than dedicated file transfer infrastructure.
  • Regional disparities in TLS adoption are stark, with China and South Korea having the lowest rates, while Japan struggles with widespread use of deprecated TLS versions.

A new report from Censys, published in April 2026 and authored by security researcher Himaja Motheram, reveals that nearly six million internet-facing hosts continue to operate the outdated File Transfer Protocol (FTP).

Table Of Content

  • Key Takeaways
  • The State of Encryption and Regional Risks
  • Key Technical Observations
  • Mitigation and Hardening Strategies
  • What You Should Do

While this figure represents a substantial 40% decrease from the 10.1 million servers identified in 2024, the enduring presence of this decades-old protocol continues to present significant security vulnerabilities, primarily due to widespread insecure default configurations.

The Censys analysis underscores that the prevalent issue of FTP exposure in 2026 stems not from purpose-built file transfer systems, but rather from cumulative platform defaults found in shared hosting networks and broadband services.

The State of Encryption and Regional Risks

Securing these numerous FTP servers presents a complex picture. Censys data indicates that approximately 58.9% of observed FTP hosts successfully complete a Transport Layer Security (TLS) handshake, signifying their capability for encrypted connections.

FileZilla server responding with a funny TLS response(Source: Censys)
FileZilla server responding with a funny TLS response(Source: Censys)

However, this leaves an estimated 2.45 million hosts without any observable encryption, rendering them susceptible to transmitting files and user credentials in cleartext.

The adoption of encryption varies considerably across different geographic regions. Censys data highlights that among the top 10 hosting countries, mainland China and South Korea exhibit the lowest TLS adoption rates, at 17.9% and 14.5% respectively.

Conversely, Japan accounts for a significant 71% of all global FTP servers that still rely on obsolete and deprecated encryption protocols like TLS 1.0 and 1.1.

The overall security posture of these six million servers is largely dictated by the default settings of the underlying software daemons.

Key Technical Observations

  • Pure-FTPd Dominance: Pure-FTPd is identified as the most prevalent FTP daemon, running on approximately 1.99 million services. Its widespread use is primarily attributed to its default inclusion in cPanel hosting environments.
  • The IIS FTP Configuration Trap: Over 150,000 Microsoft IIS FTP services return a “534” error, indicating that TLS has not been properly configured. Despite IIS defaulting to a policy that seemingly mandates encryption, a fresh installation does not automatically bind a security certificate. This oversight allows the server to accept cleartext credentials, even though the configuration appears to enforce TLS.
  • Hidden Nonstandard Ports: Scans limited to the standard port 21 overlook a substantial portion of the attack surface. Tens of thousands of FTP services operate on alternative ports, such as 10397 or 2121, often associated with specific telecom operations or network-attached storage (NAS) devices.

Mitigation and Hardening Strategies

2.35 Million FTP Services With No Evidence of TLS(Source: Censys)
2.35 Million FTP Services With No Evidence of TLS(Source: Censys)

Censys strongly advises enterprise defenders and infrastructure administrators to first assess the genuine necessity of FTP before attempting to harden its security. This recommendation is detailed in their blog post on FTP exposure.

What You Should Do

  • Migrate to Secure Alternatives: Whenever feasible, replace FTP with more secure protocols such as SSH File Transfer Protocol (SFTP), which encrypts both credentials and data by default over port 22.
  • Enforce Explicit TLS: If retaining legacy FTP infrastructure is unavoidable, administrators must configure their FTP daemons to enforce Explicit TLS (FTPS) and reject all cleartext connections.
  • Correct IIS Certificate Bindings: Windows Server administrators managing IIS FTP installations must ensure a valid SSL certificate is properly bound to the FTP site and verify that the SSL policy is actively enforcing encryption.

Ultimately, while the internet’s reliance on FTP is gradually diminishing, millions of instances continue to operate in the background. As Censys warns, the primary threat is not sophisticated zero-day exploits, but rather the straightforward failure to update default configurations, which leaves systems unnecessarily exposed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityzero-day

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical TP-Link Router Vulnerability CVE-2023-33538 Exploited by Mirai Malware

Next Post

Critical FortiSandbox RCE Vulnerability CVE-2023-34981 Gets Public Exploit

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes
July 9, 2026
Critical HP Linux Printing Bug (CVE-2023-1704) Lets Attackers Run Code
July 9, 2026
Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us