Synology DiskStation DS925+ MailPlus Vulnerability Allows Unauthenticated Redis Access
A vulnerability in Synology's DiskStation DS925+ MailPlus allows network-adjacent attackers to access the Redis instance without authentication, potentially leading to code execution.

The Zero Day Initiative (ZDI) has disclosed a critical vulnerability, tracked as ZDI-26-424 and CVE-2026-13135, affecting Synology DiskStation DS925+ devices running the MailPlus application. This flaw permits network-adjacent attackers to gain unauthenticated access to the device's Redis instance, a key-value store often used for caching and session management.
The vulnerability stems from an improper restriction of communication channel to intended endpoints, specifically related to the configuration of MailPlus's firewall rules. The issue arises from the Redis instance being inadvertently exposed over IPv6. By exploiting this exposure, an attacker can bypass authentication mechanisms and interact directly with the Redis database.
While the direct impact of accessing the Redis instance without authentication is significant, the true danger lies in its potential to be chained with other vulnerabilities. Successful exploitation could allow an attacker to execute arbitrary code on the affected Synology device with root privileges. This level of access would grant an attacker complete control over the device, enabling data theft, further network compromise, or the deployment of malicious software.
The Zero Day Initiative has assigned this vulnerability a CVSS score of 4.3, classifying it as moderate severity. However, the potential for privilege escalation and arbitrary code execution when combined with other exploits elevates the practical risk for organizations utilizing these devices.
Synology has acknowledged the vulnerability and has released security updates to address the issue. Users are strongly advised to apply the available patches promptly to mitigate the risk. The company's security advisory, Synology SA_26_11, provides further details on the affected versions and the remediation steps.
The disclosure timeline indicates that the vulnerability was initially reported to Synology on December 4, 2025. Following a coordinated disclosure process, the advisory was publicly released on July 15, 2026, with an update to the advisory on the same day. The research leading to the discovery of this flaw is credited to gcali.
This incident underscores the importance of regularly updating network-attached storage (NAS) devices and their associated applications, as these systems often store sensitive data and can serve as entry points into corporate networks if compromised. Proper network segmentation and firewall configuration are also crucial to prevent unauthorized access to internal services like Redis.
Organizations using Synology DiskStation DS925+ devices with MailPlus should prioritize applying the security update. A thorough review of network configurations, particularly IPv6 exposure of internal services, is also recommended to prevent similar vulnerabilities from being exploited.
The Zero Day Initiative advisory ZDI-26-423 provides further technical details on the Synology DiskStation DS925+ MailPlus vulnerability, specifically highlighting the weak cryptography used for password storage within the Redis instance. This advisory confirms that an attacker can exploit this flaw to execute arbitrary code in the context of root, and notes that authentication is not required for exploitation. Synology has since released an update to address this issue, detailed in their security advisory SA 26-11.