The FTP Ghost in the Machine: 6 Million Servers Still Expose Unencrypted Legacy Portals
A new global scan by Censys reveals that nearly half of all internet-facing FTP servers lack basic encryption, leaving enterprise data pipelines vulnerable to credential sniffing and man-in-the-middle attacks.
ANN ARBOR, MI — In an era dominated by zero trust and encrypted tunnels, one of the internet’s oldest protocols remains a massive, unpatched liability. According to a state-of-the-internet report from Censys, approximately 6 million servers continue to expose File Transfer Protocol (FTP) services to the public web. More alarming is the finding that nearly 50% of these servers do not support any form of encryption, such as FTPS or SFTP.
The findings underscore a persistent "Shadow Infrastructure" problem, where legacy systems — often forgotten by IT departments — continue to facilitate the movement of sensitive corporate and personal data in plain text.
FTP Security Breakdown
The Persistence of "Plain Text" Risk
FTP, a protocol dating back to 1971, was never designed with modern security in mind. While secure variants like SFTP (SSH File Transfer Protocol) exist, the Censys scan reveals that millions of hosts are still configured for "Anonymous" access or clear-text authentication.
According to technical analysis from SecurityWeek and CyberNews, the exposure follows several dangerous patterns:
- Credential Sniffing: Because standard FTP sends passwords in the clear, any attacker positioned on the network path can intercept administrative credentials.
- Anonymous Access: A significant portion of the 6 million servers allow "Anonymous" logins, frequently providing a gateway to internal document repositories or configuration files.
- The "Serial-to-IP" Link: SecurityWeek notes that many of these exposed servers are actually Serial-to-IP converters used in healthcare and industrial OT (Operational Technology) environments to connect legacy hardware to the cloud.
Geographic and Sector Concentration
The exposure is not evenly distributed. Censys identified heavy concentrations of unencrypted FTP servers in regions with rapidly expanding digital footprints but lagging security oversight. Furthermore, the report highlights that many of these servers are hosted on consumer-grade ISP ranges, suggesting that small businesses and home-office setups are unwittingly acting as weak points in the broader enterprise supply chain.
The CyberSignal Analysis
Signal 01 — The "Shadow Infrastructure" Debt
This incident is a definitive "Signal" for enterprise infrastructure management. The presence of 6 million FTP servers in 2026 isn't just a technical flaw; it’s a failure of vulnerability management. These servers are the "basement windows" of the corporate world — left unlocked because everyone assumes the "front door" (the firewall) is enough. For B2B leaders, the takeaway is clear: If you haven't audited your external-facing ports in the last 90 days, you likely own part of this 6-million-count problem.
Signal 02 — The Death of "Security through Obscurity"
The "Signal" here is the power of automated global scanning. Threat actors are using the same tools as Censys to map your network in seconds. As we discussed in our report on Common Cybersecurity Threats in 2026, attackers no longer need a complex exploit to breach a network; they just need a legacy protocol that was never turned off. In 2026, identity & access management (IAM) must include the "Identity" of the protocols themselves — if a service doesn't support encryption, it shouldn't have an identity on your network.
