read more:
6 million internet-facing FTP hosts remain down 40% but still pose security risks due to insecure defaults.
cybersecuritynews.com
FTP exposure is still a real issue, but the headline number needs context.
What the report likely means
A large count of internet-facing FTP hosts does not automatically mean 6 million actively used, intentionally deployed FTP servers.
As quoted, a significant share appears to come from:
- Default services left enabled on shared hosting systems
- Broadband/router or NAS devices exposing FTP unintentionally
- Legacy platform configurations that were never cleaned up
That matters because the risk is often less about “organizations choosing FTP” and more about old defaults and poor visibility.
Why FTP is still a problem
Traditional FTP has well-known security weaknesses:
- Credentials can be transmitted in clear text if plain FTP is used
- Data sessions are not encrypted by default
- It is easy to misconfigure
- Anonymous access or weak passwords can still appear in old deployments
- It increases attack surface unnecessarily when exposed to the public internet
Even when FTP is not being actively used, an exposed service can still become a target for password spraying, brute-force attempts, banner grabbing, or exploitation of outdated software.
Important nuance: FTP vs FTPS vs SFTP
These are often confused:
- FTP = legacy protocol, typically insecure over the internet unless specifically wrapped with TLS
- FTPS = FTP with TLS encryption added
- SFTP = SSH File Transfer Protocol, completely different from FTP and generally the preferred secure replacement in many environments
So “FTP exposure” in scans does not always mean credentials are definitely sent in clear text, but plain FTP exposure is still a strong sign of legacy or weak configuration.
Why the number is declining
A 40% drop since 2024 is significant and likely reflects:
- Migration to SFTP or HTTPS-based file transfer
- Cloud platforms replacing older hosting models
- Better default hardening
- ISPs and hosting providers reducing legacy services
- General awareness that FTP should not be internet-exposed unless there is a very specific reason
That said, millions of exposed hosts is still a large attack surface.
Practical takeaway for admins
If anyone is still exposing FTP to the internet, the safer approach is:
- Disable plain FTP if it is not absolutely required
- Prefer SFTP or at minimum FTPS
- Restrict access by IP where possible
- Use strong unique credentials and MFA where supported
- Review for anonymous login and weak default settings
- Patch the FTP software and underlying OS
- Check whether the service is exposed unintentionally by hosting or device defaults
About the source
The article may be summarizing the Censys findings, but for technical conclusions it is usually better to rely on the original research if available, since secondary reporting can simplify details.
Conclusion
The main concern is not just that FTP exists, but that legacy defaults and forgotten exposures still leave a very large number of systems unnecessarily reachable from the internet. The long-term fix is straightforward: remove plain FTP exposure and replace it with more modern, encrypted, tightly restricted alternatives.
