The remote host is configured with default or easily-guessed credentials.
The remote host is running a version of the Serv-U FTP Server that has an hidden default administration account. This account is reported to be hard-coded but it can be used only from the loopback interface. It may permit a local attacker to log into the site maintenance interface.
No solution is known at this time.