# Half of 6 Million Internet-Facing FTP Servers Still Transmit Data Without Encryption


A comprehensive security assessment has revealed a critical vulnerability landscape across the internet: approximately 3 million FTP servers remain accessible from the public internet without encryption, exposing organizations worldwide to interception attacks, credential theft, and unauthorized data access. The finding, which examined roughly 6 million publicly accessible FTP servers globally, underscores a persistent and widespread security blind spot in enterprise infrastructure.


## The Threat


The statistics are staggering. Out of an estimated 6 million FTP (File Transfer Protocol) servers accessible from the internet, roughly 50% operate without encryption, meaning credentials and file transfers traverse the internet in plaintext. This creates a direct pathway for attackers to capture sensitive data, intercept login credentials, and establish footholds in organizational networks.


Unencrypted FTP operates through the standard FTP protocol (port 21), which transmits all data—including usernames, passwords, and file contents—in human-readable format across the network. An attacker positioned anywhere between the client and server (through ARP spoofing, DNS hijacking, BGP hijacking, or network compromise) can capture this traffic with minimal effort using tools as simple as tcpdump or Wireshark.


## Background and Context


FTP has been the subject of security concerns for decades. The protocol, standardized in 1985 (RFC 959), predates modern encryption standards and was designed for an era when network security was not a primary concern. Despite its age and known vulnerabilities, FTP remains deeply embedded in enterprise infrastructure for several reasons:


  • Legacy system integration: Thousands of enterprises run applications and workflows that depend on FTP
  • Widespread device support: Industrial control systems, embedded devices, and legacy hardware often only support FTP
  • Perceived simplicity: Some organizations view FTP as simpler to implement than secure alternatives
  • Inertia: Infrastructure teams may not prioritize upgrading protocols that "still work"

    • While secure alternatives like SFTP (SSH File Transfer Protocol) and FTPS (FTP Secure) have been available for two decades, adoption has been slow and inconsistent across organizations.


    ## Technical Details


    ### How Unencrypted FTP Works


    Standard FTP operates in cleartext across two channels:


    1. Control Channel (Port 21): Transmits commands and authentication credentials

    2. Data Channel (Port 20 or ephemeral ports): Transfers file contents


    Both channels lack encryption entirely. A network packet capture reveals:


    Username: admin
Password: MyP@ssw0rd!

    An attacker capturing these packets can immediately log in as the authenticated user.


    ### The Encryption Gap


    The secure alternatives present a stark contrast:


    | Protocol | Encryption | Authentication | Current Adoption |

    |----------|-----------|-----------------|------------------|

    | FTP | None | Plaintext credentials | 50% of exposed servers |

    | FTPS | TLS/SSL | Certificate-based | Less common |

    | SFTP | SSH | Key-based or password | Industry standard |

    | HTTPS (REST APIs) | TLS | Various | Widespread |


    Organizations deploying unencrypted FTP expose themselves not only to eavesdropping but also to man-in-the-middle (MITM) attacks, where an attacker intercepts and modifies file contents in transit.


    ## The Broader Picture


    ### Global Exposure Scale


    The 3 million exposed unencrypted FTP servers represent a massive attack surface. Key findings include:


  • Geographic distribution: Unencrypted FTP servers are found globally, with significant concentrations in North America, Europe, and Asia
  • Sector prevalence: Manufacturing, utilities, healthcare, financial services, and retail all host exposed FTP infrastructure
  • Organizational size: Both small businesses and Fortune 500 companies operate unencrypted FTP servers accessible from the internet
  • Shodan visibility: Security researchers can identify these servers using Shodan, a search engine for internet-connected devices, making them trivial to locate

    • ### Why This Persists


    Several factors explain why organizations continue running unencrypted FTP at scale:


    1. Migration complexity: Upgrading protocols in mature environments requires careful planning, testing, and coordination

    2. Vendor support gaps: Some legacy applications and devices only support FTP natively

    3. Organizational silos: IT operations may be unaware of FTP servers running in specific departments

    4. False sense of security: Internal networks protected by firewalls may seem "safe" until accessed remotely

    5. Compliance misunderstanding: Organizations may meet minimum compliance standards while missing critical security best practices


    ## Implications for Organizations


    ### Immediate Risks


    Credential compromise: An attacker capturing FTP credentials gains direct access to sensitive file repositories. These credentials are often reused across systems, enabling lateral movement.


    Data interception: Sensitive documents, source code, financial records, and intellectual property transmitted via unencrypted FTP can be captured and exfiltrated.


    Business continuity threats: Attackers could modify files in transit, causing data corruption or introducing malware into file transfers.


    Compliance violations: Many regulatory frameworks (HIPAA, PCI-DSS, GDPR, SOC 2) explicitly require encryption for data in transit. Organizations running unencrypted FTP may be in violation.


    ### Ransomware and APT Vectors


    Exposed FTP servers have become popular initial access vectors for ransomware operations and advanced persistent threats (APTs). A compromised FTP account provides:


  • A foothold inside the organization
  • Access to potentially sensitive data
  • Opportunities for reconnaissance
  • Staging ground for lateral movement

    • ## Security Recommendations


    ### Immediate Actions


    Organizations hosting any FTP servers should take these steps immediately:


    1. Inventory all FTP servers: Conduct a comprehensive audit to identify every FTP server, both internal and accessible externally

    2. Disable internet-facing FTP: If FTP is accessible from the internet, restrict access to VPN or internal networks only

    3. Enable encryption: Deploy SFTP or FTPS on all FTP infrastructure

    4. Rotate credentials: Change all FTP credentials, as they should be considered potentially compromised

    5. Monitor access logs: Review FTP logs for suspicious activity or unauthorized access


    ### Long-Term Strategy


  • Migrate to SFTP: Transition workloads from FTP to SFTP (which operates over SSH on port 22)
  • Evaluate modern alternatives: Consider RESTful APIs with HTTPS, cloud storage solutions, or managed file transfer platforms
  • Implement network segmentation: Restrict FTP access to specific subnets or VLANs
  • Deploy endpoint detection and response (EDR): Monitor systems for suspicious file access patterns
  • Enforce multi-factor authentication: Require MFA on all FTP accounts where supported

    • ### For Security Teams


  • Scan your organization's IP ranges for FTP servers using Shodan or similar tools
  • Establish a policy requiring encryption for all file transfer protocols
  • Include FTP security in incident response plans
  • Monitor the dark web for leaked credentials associated with your organization's FTP accounts
  • Conduct regular penetration testing of file transfer infrastructure

    • ## What This Means Moving Forward


    The persistence of unencrypted FTP at this scale represents a critical gap between known threats and organizational action. While the technology to secure file transfers has existed for decades, adoption gaps persist due to legacy constraints, organizational inertia, and competing priorities.


    However, the trend is clear: security teams must treat unencrypted FTP as a legacy protocol requiring immediate remediation, not an acceptable standard practice. With 3 million exposed servers representing billions of potential data exposures, the business case for migration has never been stronger.


    Organizations should view this as an urgent call to action. Encrypting file transfer protocols is not a future optimization—it is a present-day security imperative.