Synology MailPlus Server Flaws Can Let Attackers Read Files, Modify Files, and Trigger DoS Attacks


Synology has fixed three vulnerabilities in MailPlus Server that could let attackers disrupt mail services, read or write arbitrary files, or access internal services on affected NAS systems.

The company published Synology-SA-26:11 on June 26, 2026, and marked the advisory as critical and resolved. The most serious flaw, CVE-2026-13136, has a CVSS score of 10.0.

The issue matters because MailPlus Server is used to run private email infrastructure on Synology NAS devices. A vulnerable mail server can affect business email availability, stored data, and internal network services.

Three Synology MailPlus Server vulnerabilities were fixed

The update addresses CVE-2026-13136, CVE-2025-15660, and CVE-2026-13135. Two are rated critical, while the third is rated moderate.

According to Help Net Security, the vulnerabilities affect MailPlus Server deployments running on DSM 7.3, DSM 7.2.2, and DSM 7.2.1. The publication also noted that technical details remain limited.

Synology says there is no mitigation for the flaws. The only listed fix is to upgrade MailPlus Server to the patched version for the DSM branch in use.

CVESeverityCVSS scoreAttack conditionPossible impact
CVE-2026-13136Critical10.0Remote attacker, no authentication requiredRead or write arbitrary files and conduct denial-of-service attacks
CVE-2025-15660Critical9.6Adjacent attacker, no authentication requiredRead or write arbitrary files and conduct denial-of-service attacks
CVE-2026-13135Moderate5.3Remote attackerAccess internal services

CVE-2026-13136 is the highest-risk flaw

CVE-2026-13136 is the most severe issue in the advisory. Synology links it to incorrect authorization, which means the software failed to properly enforce access controls in an affected component.

The CVSS vector shows network attack access, low attack complexity, no privileges required, and no user interaction required. That combination makes the flaw urgent for administrators, especially when MailPlus Server is reachable from untrusted networks.

A successful attack could affect confidentiality, integrity, and availability at the same time. In plain terms, an attacker could read files, modify files, or force a service outage.

CVE-2025-15660 requires adjacent network access

CVE-2025-15660 is also critical, but it has a different exposure profile. Synology says the flaw allows adjacent attackers to read or write arbitrary files and conduct denial-of-service attacks.

Adjacent access usually means the attacker must be on the same network segment or in a nearby network position. That makes it different from a fully remote attack across the internet, but it still creates serious risk in shared offices, compromised internal networks, or poorly segmented environments.

The flaw is linked to the use of a cryptographically weak pseudo-random number generator. Synology credits gcali working with Trend Micro’s Zero Day Initiative for the related report.

CVE-2026-13135 can expose internal services

CVE-2026-13135 is rated moderate with a CVSS score of 5.3. It does not carry the same immediate impact as the two file-read and file-write vulnerabilities, but administrators should not ignore it.

The vulnerability can allow remote attackers to access internal services because of improper restriction of a communication channel. In a real attack, access to internal services can help attackers map systems or support follow-on activity.

Synology credits ABBA Labs for reporting one of the issues, while the advisory also references ZDI-CAN-28485 for CVE-2026-13135.

DSM versionAffected packageFixed version
DSM 7.3Synology MailPlus ServerUpgrade to 4.0.1-31663 or later
DSM 7.2.2Synology MailPlus ServerUpgrade to 4.0.1-21663 or later
DSM 7.2.1Synology MailPlus ServerUpgrade to 4.0.1-21663 or later

No workaround is available

The key operational detail is simple: Synology lists no mitigation. Administrators need to install the fixed MailPlus Server package instead of relying on a temporary configuration change.

The official Synology advisory lists MailPlus Server 4.0.1-31663 or later for DSM 7.3, and MailPlus Server 4.0.1-21663 or later for DSM 7.2.2 and DSM 7.2.1.

Organizations that expose MailPlus Server to the internet should patch first, then review access controls and logs. Systems used for business email deserve priority because downtime or file tampering can disrupt daily operations quickly.

  • Upgrade MailPlus Server to the fixed version for your DSM branch.
  • Confirm that all internet-facing Synology NAS devices have received the package update.
  • Restrict external access to MailPlus Server where possible.
  • Review firewall, VPN, and reverse proxy rules that expose mail services.
  • Check logs for unusual access, failed requests, or unexpected file activity.
  • Segment NAS devices away from general user networks.
  • Back up mail data before making major configuration changes.

Internet-facing MailPlus deployments increase the risk

Mail servers often need external connectivity, which can increase exposure when a critical package vulnerability appears. Businesses using Synology MailPlus for private email should verify whether their NAS is reachable from the public internet.

Help Net Security reported that Bitsight’s Groma Explorer scanning engine saw more than 2,100 internet-facing Synology MailPlus Server deployments, with many observed in Germany, Asia, and the United States.

That does not mean every exposed server is vulnerable, but it shows why administrators should not delay the update. Publicly reachable mail infrastructure gives attackers an easier place to test newly disclosed flaws.

Administrators should verify the update, not just DSM

One common mistake is assuming that updating DSM alone updates every package. MailPlus Server is a package, so administrators should confirm the MailPlus Server version directly inside Package Center.

Teams should also document which Synology devices run mail services. Smaller businesses often keep NAS devices outside standard server inventory, which can delay patching during urgent security events.

After applying the update, administrators should restart services if required, test mail delivery, and verify that users can still send and receive messages. They should also confirm that firewall rules still match the intended exposure model.

FAQ

What is Synology-SA-26:11?

Synology-SA-26:11 is Synology’s June 2026 security advisory for MailPlus Server. It fixes three vulnerabilities that can allow denial-of-service attacks, arbitrary file read or write actions, and internal service access.

Which Synology MailPlus Server versions need updating?

MailPlus Server on DSM 7.3, DSM 7.2.2, and DSM 7.2.1 needs updating if it is below the fixed versions. DSM 7.3 users should install 4.0.1-31663 or later. DSM 7.2.2 and DSM 7.2.1 users should install 4.0.1-21663 or later.

Is there a workaround for the Synology MailPlus Server vulnerabilities?

No. Synology lists no mitigation for these vulnerabilities. Administrators should install the fixed MailPlus Server package as soon as possible.

What is the most serious Synology MailPlus Server vulnerability?

CVE-2026-13136 is the most serious flaw. It has a CVSS score of 10.0 and can allow remote attackers to read or write arbitrary files and conduct denial-of-service attacks.

What should administrators do after patching MailPlus Server?

Administrators should verify the installed MailPlus Server version, review logs for suspicious activity, restrict external access where possible, check firewall rules, and make sure NAS devices are included in future patch management workflows.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages