Half of the 6 Million Internet-Facing FTP Servers Lack Encryption

Summary

Censys research reveals approximately 6 million internet-accessible FTP servers worldwide, with 2.45 million (41%) showing no evidence of encryption support. The 50-year-old FTP protocol continues to expose enterprises and users to credential theft and data interception despite a 40% year-over-year decline in deployments. Most unencrypted servers are in the US, China, Germany, and Hong Kong, with Pure-FTPd, ProFTPD, and vsftpd being the most common implementations.

Full text

Approximately 6 million internet-accessible systems are using FTP today, and almost half of them do not use encryption, a fresh Censys report shows. In use for more than half a century, FTP uses a client-server model architecture to facilitate the transfer of files and folders between computers. Unlike modern protocols, however, FTP transmits data unencrypted and has been deemed insecure for years. Its continued use exposes enterprises and end users alike to avoidable risks. The number of hosts running an internet-facing FTP service has dropped by 40% since 2024 (from 10.1 million to 5.94 million), but the protocol still accounts for 2.72% of all internet-visible systems, Censys says. Also alarming is the fact that 2.45 million of the observed FTP services show no evidence of encryption. With no observed TLS handshake, these servers either lack support for encryption, were not upgraded, or did not complete a handshake during Censys’ scanning. “This is not a guarantee that all 2.45 million transmit files and credentials in cleartext, but it is the population with no observed evidence of encryption,” the internet intelligence provider notes.Advertisement. Scroll to continue reading. Most of the FTP-visible hosts are in the US (1.2 million). China (866,000), Germany (467,000), Hong Kong (415,000), Japan (366,000), and France (343,000) also house significant numbers of such systems. Some of the largest hosting and broadband providers worldwide account for the most FTP hosts, including China Unicom’s CHINA169 (405,000), Alibaba (227,000), OVH (177,000), Hetzner (138,000), KDDI Web Communications (127,000), and GoDaddy (126,000). Censys’ analysis of the FTP hosts revealed that Pure-FTPd is the most commonly running server, accounting for roughly 1.99 million services. It is followed by ProFTPD with 812,000 services and vsftpd (the standard FTP daemon in most Linux distributions) with 379,000 services. Microsoft’s legacy web and FTP server platform, IIS (Internet Information Services), accounts for 259,000 services. All Windows Server instances with the FTP role enabled would run IIS FTP by default, and more than 150,000 of these services have never had encryption set up, Censys says. In fact, of the 2.45 million FTP hosts that lack encryption, 994,000 services do not implement AUTH TLS on the scanned port, 813,000 ask for a password before establishing an encrypted channel, and more than 170,000 do not have explicit TLS support. “The geography, ASN distribution, and server technology mix in this dataset all point toward the conclusion that most Internet-facing FTP configurations are a byproduct of commodity hosting and broadband defaults,” Censys notes. Organizations are encouraged to either completely remove FTP from their environments or transition to more secure alternatives, such as SFTP (SSH File Transfer Protocol) and FTPS, which offer encrypted file transfer capabilities and have broad client compatibility. “For most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively,” Censys notes. Related: Millions of Internet Hosts Vulnerable to Attacks Due to Tunneling Protocol Flaws Related: BlastRADIUS Attack Exposes Critical Flaw in 30-Year-Old RADIUS Protocol Related: Thousands of Websites Hijacked Using Compromised FTP Credentials Related: Up to 25% of Internet-Exposed ICS Are Honeypots: Researchers Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Two North Korean IT Worker Scheme Facilitators Jailed in the USCursor AI Vulnerability Exposed Developer Devices53 DDoS Domains Taken Down by Law EnforcementArtemis Emerges From Stealth With $70 Million in FundingSplunk Enterprise Update Patches Code Execution VulnerabilityNIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical SoftwareCisco Patches Critical Vulnerabilities in Webex, ISERansomware Hits Automotive Data Expert Autovista Latest News Next.js Creator Vercel HackedHackers Fail to Exploit Flaw in Discontinued TP-Link RoutersTycoon 2FA Loses Phishing Kit Crown Amid Surge in AttacksWhite House Chief of Staff to Meet With Anthropic CEO Over Its New AI TechnologyCoChat Launches AI Collaboration Platform to Combat Shadow AIIn Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker ArrestedAnother DraftKings Hacker Sentenced to PrisonLawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ Followed Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Entities