Report: FTP protocol security gaps expose millions of systems

About half of 6 million internet-connected systems using the legacy File Transfer Protocol continue to lack encryption, making them vulnerable to cyberattacks, according to SecurityWeek.

While the number of internet-exposed FTP hosts declined by 40% since 2024, nearly a million hosts without encryption had no AUTH TLS on the scanned port, while 813,000 sought passwords before creating an encrypted channel and over 170,000 had no explicit TLS support, findings from a Censys report revealed. Geographically, the majority of FTP-accessible systems are in the United States, with large numbers also in China, Germany, Hong Kong, Japan, and France. Major providers include China Unicom, Alibaba, OVH, Hetzner, KDDI, and GoDaddy. Experts recommend replacing FTP with more secure options like SFTP or FTPS to protect data transfers.

"For most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively," said Censys.