Unencrypted FTP Servers: 2.45 Million Systems Exposed Globally

As we cross the threshold of 2026, the global cybersecurity landscape is defined by a striking paradox: while quantum-resistant encryption and AI-driven threat hunting dominate the headlines, a foundational pillar of the early internet continues to leak sensitive data at an industrial scale. A definitive report released today by Censys reveals that nearly half of the world’s 6 million internet-facing unencrypted FTP servers are operating without any form of modern security, leaving 2.45 million systems wide open to credential theft and data interception.

The File Transfer Protocol (FTP), which officially turned 55 years old this April, remains an ubiquitous ghost in the machine. Despite decades of warnings from security experts, the protocol still accounts for approximately 2.72% of all internet-visible systems. While the total number of FTP hosts has declined by 40% since 2024—dropping from a staggering 10.1 million to roughly 5.94 million—the sheer volume of unencrypted FTP servers still active suggests a systemic failure in enterprise lifecycle management and a dangerous reliance on legacy defaults.

The Anatomy of Exposure: 2.45 Million Open Doors

The Censys research highlights a critical failure point in global data transit: the lack of a verified TLS (Transport Layer Security) handshake. Out of the observed 5.94 million FTP services, roughly 2.45 million showed no evidence of encryption. This means that for nearly 41% of the global FTP footprint, every username, password, and file packet is transmitted in plain text across the open web.

Technically, the risk of unencrypted FTP servers stems from the protocol’s dual-channel architecture. FTP operates using a control channel (typically Port 21) for commands and a separate data channel for the actual file payload. In an unencrypted state, an attacker positioned anywhere in the network path—whether through a compromised router, a rogue Wi-Fi hotspot, or a malicious ISP node—can use basic packet sniffing tools like Wireshark to reconstruct entire sessions. Because the “USER” and “PASS” commands are sent without a cryptographic wrapper, the barrier to entry for gaining full administrative access to these servers is virtually non-existent.

The “TLS Handshake” Mirage

Even among the 58.9% of servers that ostensibly support encryption, the security posture is often deceptive. The Censys report notes that 97% of encrypted servers have moved to modern TLS 1.2 or 1.3. However, a significant subset of the remaining population resides in what researchers call the “TLS Mirage.” This is particularly prevalent in Japan, which accounts for 71% of all FTP servers globally that still rely on deprecated and vulnerable protocols like TLS 1.0 and 1.1. These legacy versions are susceptible to well-known attacks such as POODLE and BEAST, offering a false sense of security while remaining vulnerable to modern decryption techniques.

The IIS Configuration Trap and the cPanel Legacy

Perhaps the most alarming revelation in the 2026 data is that the persistence of unencrypted FTP servers is rarely an intentional choice by administrators, but rather a byproduct of “commodity hosting” and “insecure defaults.” The research identifies two primary culprits in the proliferation of insecure file transfer services: Microsoft IIS and Pure-FTPd.

The Microsoft IIS “534” Error

Over 150,000 Microsoft Internet Information Services (IIS) FTP deployments are currently in a “broken” security state. These servers often return a “534” error response when scanned. This occurs because the IIS control policy is set to “Require SSL,” but the server administrator failed to bind a valid security certificate to the service. Consequently, the TLS handshake fails, and the server—rather than shutting down for safety—often defaults to a state where it may still accept cleartext credentials or simply remain exposed as a non-functional but visible target for reconnaissance.

The Pure-FTPd and cPanel Connection

Pure-FTPd remains the world’s most common FTP daemon, powering approximately 1.99 million services. Its dominance is largely tied to its role as the default FTP engine for cPanel, the ubiquitous web hosting control panel. For over a decade, cPanel installations have automatically enabled FTP for every new hosting account. Millions of small-to-medium enterprises (SMEs) are running unencrypted FTP servers without even realizing it, as the service was “on by default” during their initial server provision years ago and has never been audited or decommissioned.

• Pure-FTPd: ~1.99 million services (primarily cPanel).
• ProFTPD: ~812,000 services.
• vsftpd: ~379,000 services (includes 1,744 hosts still running the backdoored v2.3.4).
• Microsoft IIS: ~259,000 services.

Regional Disparities: The Geography of Risk

The distribution of unencrypted FTP servers is not uniform across the globe. Regional infrastructure habits and ISP defaults play a massive role in where data remains most vulnerable. The United States leads the world in total FTP exposure with over 1.2 million visible hosts, primarily due to its massive concentration of data centers and cloud providers like GoDaddy and Amazon (AWS).

However, when looking at encryption adoption rates, the picture shifts dramatically. Mainland China and South Korea report the lowest rates of TLS adoption among the top 10 hosting nations, at 17.9% and 14.5%, respectively. This lack of encryption is often attributed to older residential broadband configurations and legacy government or educational networks that have not been modernized. In these regions, unencrypted FTP servers are not just outliers; they are the standard for file movement, creating a massive target for state-sponsored and criminal threat actors alike.

The Technical Mechanics of Exploitation

To understand why security experts are so adamant about decommissioning unencrypted FTP servers, one must look at the technical ease of exploitation. Unlike modern protocols that use a single encrypted tunnel, standard FTP sends the command to transfer a file over Port 21, and then the server and client negotiate a new temporary port for the data transfer. This is known as “Passive Mode.”

In an unencrypted environment, an attacker performing a Man-in-the-Middle (MITM) attack can:

1. Capture the Port 21 control channel traffic to extract the administrative username and password.
2. Monitor the PASV (Passive) command to see which high-numbered port the data will be sent on.
3. Intercept the data packets on that secondary port to steal the actual files.
4. Inject malicious code into the file stream, so the victim receives a compromised version of the software or document they were trying to download.

Furthermore, the 2026 Censys report found that 1,744 servers are still running vsftpd version 2.3.4. This specific version was famously compromised in 2011 with a backdoor that opens a shell on port 6200 if a username ending in a smiley face “:)” is used. The fact that these servers remain online 15 years later highlights the “zombie” nature of legacy FTP infrastructure.

Transitioning to Secure Alternatives: SFTP vs. FTPS

As the internet enters a more hostile threat era, the recommendation from security authorities is clear: Decommission FTP immediately. For organizations that require file transfer capabilities, two primary secure alternatives exist, each with distinct technical advantages.

SFTP (SSH File Transfer Protocol)

SFTP is widely considered the “gold standard” for secure file transfer in 2026. Unlike FTP, it is not an extension but a completely different protocol based on Secure Shell (SSH).
Key Advantages:

• Single Port: Operates entirely over Port 22, making firewall configuration significantly simpler.
• Encryption by Default: There is no “unencrypted” mode for SFTP. Both credentials and data are encrypted from the first bit.
• Public Key Authentication: Supports SSH keys, eliminating the need for vulnerable passwords.

FTPS (FTP over SSL/TLS)

FTPS is an evolutionary step that adds a TLS layer to the traditional FTP protocol. It is often used by organizations that have legacy workflows that cannot easily be ported to SSH.
Technical Nuances:

• Implicit vs. Explicit: “Explicit FTPS” (AUTH TLS) starts on Port 21 and then upgrades to an encrypted session. “Implicit FTPS” (Port 990) is encrypted from the start.
• Firewall Complexity: Because it still uses multiple ports for data channels, it requires complex “Passive Port Range” configurations in firewalls, which are often misconfigured.

The Strategic Roadmap for 2026: Killing the Legacy

The persistence of 2.45 million unencrypted FTP servers is an avoidable risk that requires an active remediation strategy. Enterprise CISOs and IT managers should prioritize a three-step protocol for 2026:

1. Visibility and Audit: Use scanning tools like Censys or Shodan to identify every internet-facing IP in your organization’s ASN. Check specifically for Port 21 exposure.
2. Mandatory Migration: Force a transition to SFTP for all automated workflows. For public-facing file shares, migrate to modern S3-compatible object storage with IAM (Identity and Access Management) controls.
3. Default Hardening: If you are a hosting provider using cPanel or IIS, change the platform defaults to “FTP Disabled” for all new accounts. Security must be an opt-in, not an afterthought.

In conclusion, the data from April 2026 serves as a stark reminder that the “boring” protocols are often the most dangerous. Unencrypted FTP servers may not have the flair of a zero-day exploit or a sophisticated ransomware strain, but they remain the primary avenue for silent, high-volume data exfiltration. As we move further into a decade defined by privacy regulations and advanced cyber-warfare, leaving 2.45 million open doors on the internet is no longer just a technical oversight—it is a catastrophic risk that the global tech community can no longer afford to ignore.