Synology issues critical fix for MailPlus Server vulnerabilities

Synology has has fixed critical vulnerabilities in MailPlus Server, a software package used to run private email infrastructure on Synology NAS devices.

The security update fixes three flaws:

• CVE-2026-13136, stemming from faulty authorization checks, may allow remote attackers to read or write arbitrary files and conduct denial-of-service (DoS) attacks
• CVE-2026-13135, caused by improper restriction of communication channel to intended endpoints, may allow remote attackers to access internal services
• CVE-2025-15660, arising from the use of a cryptographically weak pseudo-random number generator, may allow adjacent attackers to read or write arbitrary files and conduct DoS attacks.

Details about the vulnerabilities are still under wraps.

Users running MailPlus Server on NAS devices with DiskStation Manager v7.3, 7.2.2 or 7.2.1 are advised users to upgrade to the recently released 4.0.1-31663 version of the software, as there is no available mitigation for the fixed issues.

Over 2,100 deployments exposed to the internet

Aside from technically inclined users who own a Synology NAS and want to run their own mail server, MailPlus Server is also used by small-to-medium businesses that want self-host email on their on-premises hardware – either for privacy, cost control, or compliance reasons.

Bitsight’s Groma Explorer scanning engine “sees” 2,100+ internet-facing Synology Mailplus Server deployments, predominantly in Germany, Asia (Korea, China, Taiwan), and the US.