Synology MailPlus Server Flaws Can Let Attackers Read Files, Modify Files, and Trigger DoS Attacks
Synology has fixed three vulnerabilities in MailPlus Server that could let attackers disrupt mail services, read or write arbitrary files, or access internal services on affected NAS systems.
The company published Synology-SA-26:11 on June 26, 2026, and marked the advisory as critical and resolved. The most serious flaw, CVE-2026-13136, has a CVSS score of 10.0.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue matters because MailPlus Server is used to run private email infrastructure on Synology NAS devices. A vulnerable mail server can affect business email availability, stored data, and internal network services.
Three Synology MailPlus Server vulnerabilities were fixed
The update addresses CVE-2026-13136, CVE-2025-15660, and CVE-2026-13135. Two are rated critical, while the third is rated moderate.
According to Help Net Security, the vulnerabilities affect MailPlus Server deployments running on DSM 7.3, DSM 7.2.2, and DSM 7.2.1. The publication also noted that technical details remain limited.
Synology says there is no mitigation for the flaws. The only listed fix is to upgrade MailPlus Server to the patched version for the DSM branch in use.
| CVE | Severity | CVSS score | Attack condition | Possible impact |
|---|---|---|---|---|
| CVE-2026-13136 | Critical | 10.0 | Remote attacker, no authentication required | Read or write arbitrary files and conduct denial-of-service attacks |
| CVE-2025-15660 | Critical | 9.6 | Adjacent attacker, no authentication required | Read or write arbitrary files and conduct denial-of-service attacks |
| CVE-2026-13135 | Moderate | 5.3 | Remote attacker | Access internal services |
CVE-2026-13136 is the highest-risk flaw
CVE-2026-13136 is the most severe issue in the advisory. Synology links it to incorrect authorization, which means the software failed to properly enforce access controls in an affected component.
The CVSS vector shows network attack access, low attack complexity, no privileges required, and no user interaction required. That combination makes the flaw urgent for administrators, especially when MailPlus Server is reachable from untrusted networks.
A successful attack could affect confidentiality, integrity, and availability at the same time. In plain terms, an attacker could read files, modify files, or force a service outage.
CVE-2025-15660 requires adjacent network access
CVE-2025-15660 is also critical, but it has a different exposure profile. Synology says the flaw allows adjacent attackers to read or write arbitrary files and conduct denial-of-service attacks.
Adjacent access usually means the attacker must be on the same network segment or in a nearby network position. That makes it different from a fully remote attack across the internet, but it still creates serious risk in shared offices, compromised internal networks, or poorly segmented environments.
The flaw is linked to the use of a cryptographically weak pseudo-random number generator. Synology credits gcali working with Trend Micro’s Zero Day Initiative for the related report.
CVE-2026-13135 can expose internal services
CVE-2026-13135 is rated moderate with a CVSS score of 5.3. It does not carry the same immediate impact as the two file-read and file-write vulnerabilities, but administrators should not ignore it.
The vulnerability can allow remote attackers to access internal services because of improper restriction of a communication channel. In a real attack, access to internal services can help attackers map systems or support follow-on activity.
Synology credits ABBA Labs for reporting one of the issues, while the advisory also references ZDI-CAN-28485 for CVE-2026-13135.
| DSM version | Affected package | Fixed version |
|---|---|---|
| DSM 7.3 | Synology MailPlus Server | Upgrade to 4.0.1-31663 or later |
| DSM 7.2.2 | Synology MailPlus Server | Upgrade to 4.0.1-21663 or later |
| DSM 7.2.1 | Synology MailPlus Server | Upgrade to 4.0.1-21663 or later |
No workaround is available
The key operational detail is simple: Synology lists no mitigation. Administrators need to install the fixed MailPlus Server package instead of relying on a temporary configuration change.
The official Synology advisory lists MailPlus Server 4.0.1-31663 or later for DSM 7.3, and MailPlus Server 4.0.1-21663 or later for DSM 7.2.2 and DSM 7.2.1.
Organizations that expose MailPlus Server to the internet should patch first, then review access controls and logs. Systems used for business email deserve priority because downtime or file tampering can disrupt daily operations quickly.
- Upgrade MailPlus Server to the fixed version for your DSM branch.
- Confirm that all internet-facing Synology NAS devices have received the package update.
- Restrict external access to MailPlus Server where possible.
- Review firewall, VPN, and reverse proxy rules that expose mail services.
- Check logs for unusual access, failed requests, or unexpected file activity.
- Segment NAS devices away from general user networks.
- Back up mail data before making major configuration changes.
Internet-facing MailPlus deployments increase the risk
Mail servers often need external connectivity, which can increase exposure when a critical package vulnerability appears. Businesses using Synology MailPlus for private email should verify whether their NAS is reachable from the public internet.
Help Net Security reported that Bitsight’s Groma Explorer scanning engine saw more than 2,100 internet-facing Synology MailPlus Server deployments, with many observed in Germany, Asia, and the United States.
That does not mean every exposed server is vulnerable, but it shows why administrators should not delay the update. Publicly reachable mail infrastructure gives attackers an easier place to test newly disclosed flaws.
Administrators should verify the update, not just DSM
One common mistake is assuming that updating DSM alone updates every package. MailPlus Server is a package, so administrators should confirm the MailPlus Server version directly inside Package Center.
Teams should also document which Synology devices run mail services. Smaller businesses often keep NAS devices outside standard server inventory, which can delay patching during urgent security events.
After applying the update, administrators should restart services if required, test mail delivery, and verify that users can still send and receive messages. They should also confirm that firewall rules still match the intended exposure model.
FAQ
Synology-SA-26:11 is Synology’s June 2026 security advisory for MailPlus Server. It fixes three vulnerabilities that can allow denial-of-service attacks, arbitrary file read or write actions, and internal service access.
MailPlus Server on DSM 7.3, DSM 7.2.2, and DSM 7.2.1 needs updating if it is below the fixed versions. DSM 7.3 users should install 4.0.1-31663 or later. DSM 7.2.2 and DSM 7.2.1 users should install 4.0.1-21663 or later.
No. Synology lists no mitigation for these vulnerabilities. Administrators should install the fixed MailPlus Server package as soon as possible.
CVE-2026-13136 is the most serious flaw. It has a CVSS score of 10.0 and can allow remote attackers to read or write arbitrary files and conduct denial-of-service attacks.
Administrators should verify the installed MailPlus Server version, review logs for suspicious activity, restrict external access where possible, check firewall rules, and make sure NAS devices are included in future patch management workflows.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages