Millions of FTP Servers Still Exposed in 2026, Legacy Protocols Continue to Fuel Global Cyber Risk

Introduction: A Problem That Refuses to Die

Even in 2026, one of the internet’s oldest file transfer technologies continues to create modern security risks. Despite years of warnings and gradual improvements, millions of FTP servers remain publicly exposed, many of them misconfigured, outdated, and vulnerable. A new report from Censys reveals that while progress has been made, the problem is far from solved. The persistence of legacy systems, combined with weak default settings, is keeping the global attack surface dangerously wide open.

Summary of the Original Report

The latest findings from Censys highlight that nearly six million internet-facing FTP servers are still exposed worldwide in 2026. Although this marks a significant drop from 10.1 million in 2024, representing a 40% reduction, the remaining 5.94 million servers continue to pose a serious cybersecurity threat.

Much of this exposure is not the result of deliberate deployment decisions but rather outdated default configurations embedded in hosting environments and residential broadband networks. These systems often go unnoticed, quietly running in the background without proper oversight or maintenance.

Geographically, the exposure is heavily concentrated. The United States leads with over 1.2 million exposed servers, followed by major contributions from China, Germany, Hong Kong, and Japan. Together, these regions account for more than half of the global FTP exposure landscape.

A critical concern outlined in the report is the inconsistent use of encryption. While approximately 58.9% of FTP servers support TLS, most of these use modern versions such as TLS 1.2 or 1.3. However, around 2.45 million servers still operate without any TLS support, meaning data and credentials are transmitted in plaintext, making them easy targets for interception.

Regional disparities in encryption adoption are also notable. Mainland China and South Korea show particularly low TLS adoption rates, while Japan stands out for having a high percentage of servers still using outdated TLS versions.

The report further explains the differences between FTP variants. Traditional FTP is inherently insecure due to its plaintext nature. FTPS attempts to improve this by adding TLS encryption, while SFTP provides a more secure alternative by operating over SSH. Meanwhile, TFTP is highlighted as especially risky because it lacks authentication entirely and should never be exposed to the public internet.

Another key issue is the continued reliance on insecure default configurations in widely used software. Pure-FTPd remains the most common FTP server, largely due to default settings in cPanel environments. Vsftpd is also still widely used, with over 1,700 servers running a compromised version from 2011. Additionally, more than 150,000 Microsoft IIS FTP servers are misconfigured, often returning SSL-related errors due to improper certificate bindings.

In many IIS cases, administrators enable SSL requirements without properly installing certificates. This results in failed encryption attempts while still allowing unencrypted credentials to pass through, creating a dangerous illusion of security.

To mitigate these risks, Censys recommends that organizations disable FTP services when not needed, transition to SFTP for secure file transfers, properly configure TLS settings, and regularly audit internet-facing assets for outdated or legacy systems.

Overall, the report emphasizes that legacy protocols combined with poor default settings continue to expand the global attack surface, even as awareness of cybersecurity improves.

What Undercode Say: The Real Issue Isn’t FTP — It’s Neglect

The persistence of FTP exposure in 2026 is not a technological failure. It is an operational one.

Organizations already know that FTP is insecure. The existence of safer alternatives like SFTP has been widely accepted for years. Yet the continued presence of millions of exposed servers shows that awareness alone does not translate into action.

The deeper issue lies in infrastructure inertia. Many of these FTP servers are not actively managed systems but forgotten components embedded within hosting stacks, legacy applications, or ISP-provided hardware. They exist because no one has taken ownership of them.

Default configurations play a critical role here. When software like Pure-FTPd or IIS is deployed with insecure or incomplete security settings, it creates vulnerabilities at scale. Administrators often assume that enabling a feature like SSL automatically ensures security, but without proper implementation, it can actually make things worse by creating a false sense of protection.

Another important factor is economic prioritization. Security improvements often compete with business goals, and legacy systems are rarely seen as urgent risks until they are exploited. FTP servers, especially those handling non-critical data, are frequently left untouched because they “still work.”

Attackers, however, see them differently. An exposed FTP server is not just a file transfer endpoint. It is an entry point. It can be used for credential harvesting, malware distribution, lateral movement, or data exfiltration. Even a single misconfigured server can become the starting point of a larger breach.

The global distribution of these servers also highlights uneven cybersecurity maturity. Regions with lower TLS adoption or higher reliance on outdated protocols may lack the regulatory pressure or resources needed to enforce modern security standards.

What makes this situation more concerning is that it is entirely preventable. Unlike zero-day vulnerabilities or advanced threats, the risks associated with FTP are well understood and easily mitigated. Disabling unused services, enforcing encryption, and conducting regular audits are basic security practices.

Yet the scale of the problem shows that these fundamentals are still not consistently applied. This reflects a broader pattern in cybersecurity where simple issues persist not because they are difficult to solve, but because they are easy to ignore.

In the end, FTP exposure is just a symptom. The real problem is the lack of continuous visibility and accountability in managing internet-facing assets.

Fact Checker Results

✅ The reduction from 10.1 million to 5.94 million exposed FTP servers aligns with the reported 40% decline.
❌ FTP without TLS is still widely used, confirming that plaintext transmission remains a real-world risk.
✅ Misconfigured SSL in Microsoft IIS servers is a documented issue that can create false security assumptions.

Prediction

The number of exposed FTP servers will continue to decline gradually, but not disappear anytime soon ⚠️
Organizations will increasingly adopt SFTP and automated asset discovery tools to reduce blind spots 🔍
Attackers will keep targeting legacy protocols because they remain one of the easiest entry points into networks 🚪