Synology issues critical fix for MailPlus Server vulnerabilities

Zeljka Zorz, Editor-in-Chief, Help Net Security June 26, 2026 Share Synology issues critical fix for MailPlus Server vulnerabilities Synology has has fixed critical vulnerabilities in MailPlus Server, a software package used to run private email infrastructure on Synology NAS devices. The security update fixes three flaws: CVE-2026-13136, stemming from faulty authorization checks, may allow remote attackers to read or write arbitrary files and conduct denial-of-service (DoS) attacks CVE-2026-13135, caused by improper restriction of communication channel to intended endpoints, may allow remote attackers to access internal services CVE-2025-15660, arising from the use of a cryptographically weak pseudo-random number generator, may allow adjacent attackers to read or write arbitrary files and conduct DoS attacks. Details about the vulnerabilities are still under wraps. Users running MailPlus Server on NAS devices with DiskStation Manager v7.3, 7.2.2 or 7.2.1 are advised users to upgrade to the recently released 4.0.1-31663 version of the software, as there is no available mitigation for the fixed issues. Over 2,100 deployments exposed to the internet Aside from technically inclined users who own a Synology NAS and want to run their own mail server, MailPlus Server is also used by small-to-medium businesses that want self-host email on their on-premises hardware – either for privacy, cost control, or compliance reasons. Bitsight’s Groma Explorer scanning engine “sees” 2,100+ internet-facing Synology Mailplus Server deployments, predominantly in Germany, Asia (Korea, China, Taiwan), and the US. Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about email security NAS security update SMBs Synology vulnerability Share