InfoSecBulletin Cybersecurity for mankind
A recent April 2026 report from security expert Himaja Motheram at Censys says that nearly 6 million internet-connected hosts still use the File Transfer Protocol (FTP). This shows a big 40% drop from the 10.1 million servers seen in 2024. This old protocol still brings a risk because many users keep insecure default settings.
The Censys report shows that in 2026, the main issue with FTP exposure is not due to special file transfer systems, but from default settings on shared hosting and broadband networks.
1-Click GitHub Token Flaw Allows Attackers Steal Users’ OAuth Tokens
TP-Link Router Flaw Enables Remote Command Execution Attacks
ALERT
Google patches one exploited Android zero-day and 124 issues
CISA warns two-year-old Oracle Vuln as actively exploited in attacks
Hackers Use Meta’s AI Bot to Take Over Instagram Accounts
Anthropic confirms Claude Mythos-class models will be public
Threat Actors Fake FIFA Sites to Steal Personal Info
CISA gives feds 4 days to fix cPanel plugin vulnerability
ALERT
FortiClient EMS Code Execution Flaw Exploited to Deploy Malware
Anthropic Unveils Free Security Plugin for Claude Code Terminal to Detect Flaws
The State of Encryption and Regional Risks
About protecting these servers, the data shows different results. Censys found that about 58.9% of checked FTP hosts finished a Transport Layer Security (TLS) handshake, which means they allow secure connections.
This means about 2.45 million hosts have no proof of encryption, which may let them send files and passwords in plain text. The use of encryption is different in each area. Censys data shows that mainland China and South Korea have the lowest rates of TLS use among the top 10 hosting countries, with rates of 17.9% and 14.5%.
Japan has 71% of all FTP servers in the world that still use old encryption methods like TLS 1.0 and 1.1. The safety of these 6 million servers is greatly affected by the default settings of the software programs that run them.
Organizations should consider the following mitigation strategies:
Migrate to Secure Alternatives: Whenever possible, replace FTP with SSH File Transfer Protocol (SFTP), which encrypts credentials and data by default over port 22.
Enforce Explicit TLS: If legacy FTP infrastructure must remain online, administrators should configure their daemons to enforce Explicit TLS (FTPS) and refuse cleartext connections.
Fix IIS Certificate Bindings: Windows Server administrators using IIS FTP must ensure that a valid certificate is bound to the FTP site and verify that the SSL policy actively enforces encryption.
Ultimately, while the internet’s reliance on FTP is slowly shrinking, millions of instances continue to run quietly in the background.
Censys warns that the main risk is not complex zero-day attacks, but the simple problem of not updating default settings, which makes systems too open.
