Synology Patches Critical MailPlus Server Vulnerabilities Allowing Remote File Access and DoS
Synology released a critical update for MailPlus Server, fixing three vulnerabilities including flaws that could let remote attackers read/write arbitrary files and access internal services.
Synology has released a critical security update for MailPlus Server, a software package that enables private email infrastructure on Synology NAS devices. The update addresses three vulnerabilities, two of which are rated critical and could allow remote attackers to compromise the confidentiality and availability of affected systems.
The most severe flaw, CVE-2026-13136, stems from faulty authorization checks in MailPlus Server. This vulnerability could allow remote attackers to read or write arbitrary files on the NAS device and conduct denial-of-service (DoS) attacks. The second critical issue, CVE-2026-13135, is caused by improper restriction of communication channels to intended endpoints, potentially enabling remote attackers to access internal services that should be isolated. The third vulnerability, CVE-2025-15660, arises from the use of a cryptographically weak pseudo-random number generator, which could allow adjacent attackers to read or write arbitrary files and conduct DoS attacks.
Details about the vulnerabilities remain under wraps, but Synology has urged users to upgrade to MailPlus Server version 4.0.1-31663 immediately. The affected versions run on DiskStation Manager v7.3, 7.2.2, or 7.2.1. There are no available mitigations for the fixed issues, making patching the only effective defense.
According to Bitsight's Groma Explorer scanning engine, over 2,100 internet-facing Synology MailPlus Server deployments are exposed, predominantly in Germany, Asia (Korea, China, Taiwan), and the United States. These deployments are often used by small-to-medium businesses that rely on self-hosted email for privacy, cost control, or compliance reasons. The exposure puts these organizations at risk if patches are not applied promptly.
Synology has not reported any active exploitation of these vulnerabilities in the wild, but the critical nature of the flaws and the number of exposed instances make it a prime target for attackers. Users are advised to apply the update as soon as possible to prevent potential breaches.
This patch follows a trend of critical vulnerabilities in self-hosted email servers, which are attractive targets due to the sensitive data they handle. Synology's proactive release of a fix underscores the importance of maintaining up-to-date software on network-attached storage devices.