Synology patches critical MailPlus Server security flaws

Synology has released a critical security patch for MailPlus Server, the software that enables private email hosting on Synology NAS devices. The update addresses three vulnerabilities that could allow attackers to compromise systems remotely.

The most severe flaw, CVE-2026-13136, stems from faulty authorization checks. This vulnerability could let remote attackers read or write arbitrary files and launch denial-of-service (DoS) attacks. A second issue, CVE-2026-13135, involves improper restriction of communication channels to intended endpoints, potentially allowing remote attackers to access internal services. The third, CVE-2025-15660, arises from the use of a cryptographically weak pseudo-random number generator, enabling adjacent attackers to read or write files and conduct DoS attacks.

Specific details about these vulnerabilities have not yet been publicly disclosed, a common practice to give users time to patch.

Users running MailPlus Server on NAS devices with DiskStation Manager (DSM) v7.3, 7.2.2, or 7.2.1 should upgrade immediately to version 4.0.1-31663. No workaround exists for these issues, making the patch essential.

Beyond tech enthusiasts who run their own mail servers, MailPlus Server is widely adopted by small-to-medium businesses that prefer self-hosted email for privacy, cost control, or regulatory compliance. According to Bitsight’s Groma Explorer scanning engine, over 2,100 internet-facing Synology MailPlus Server deployments are visible globally, with the highest concentrations in Germany, Asia (Korea, China, Taiwan), and the United States.

To stay informed about the latest breaches, vulnerabilities, and cybersecurity threats, subscribe to our breaking news email alert.