Critical MailPlus Server Flaws Expose Email Infrastructure

Threat summary

On June 26, 2026, Synology released security updates for three vulnerabilities in Synology MailPlus Server, an on-premises email server application used by organizations that host their own e-mail infrastructure on Synology hardware. Synology, a Taiwan-based company known for its DiskStation Network-Attached Storage (NAS) systems, provides MailPlus Server as part of its self-hosted productivity and communication suite. The application provides mailbox storage, message routing, transport rules, user authentication, webmail access, and related email services.

MailPlus Server integrates closely with Synology DiskStation Manager (DSM), the operating system used across Synology DiskStation and RackStation product lines. The application relies on DSM for storage management, security, networking, directory services, backup functions, and overall system administration.

The vulnerabilities affect supported MailPlus Server deployments running on DSM 7.3, 7.2.2, and 7.2.1.

• CVE-2026-13136 allows unauthenticated, remote users to perform file operations, and was rated with a maximum Common Vulnerability Scoring System (CVSS) score of 10. The vulnerability is exploitable whenever the MailPlus Server is network‑reachable, whether on a public interface or an internal segment, which allows an adversary to read or write arbitrary files. The impact includes unauthorized file access, file modification, and exposure of stored email data, creating a direct path to full compromise of the MailPlus Server environment. The attack complexity is low, no privileges are required, and no user interaction is required. 

• CVE-2025-15660 is caused by weak pseudo‑random number generation. An adversary with adjacent network access can disrupt service availability. The CVSS score is 9.6. The impact includes denial‑of‑service conditions that could interrupt mail delivery and internal communication. 
• CVE-2026-13135 is caused by improper restriction of communication channels. An adversary with remote network access can access internal services. The CVSS score is 5.3. The impact includes unauthorized access to internal MailPlus components and exposure of internal service functionality, which enables lateral movement within the MailPlus environment. 

Analysis

Because MailPlus Server sits at the center of an organization's email infrastructure, successful exploitation could expose sensitive email communications, disrupt email delivery, modify or delete data, and provide access to files or internal services that may assist further attacks against the affected environment.

On-premises email servers have a long history of being targeted through flaws in file-handling functions, internal service interfaces, and authentication mechanisms. The Synology MailPlus Server vulnerabilities continue this pattern by affecting file access controls, authentication mechanisms, and internal service communications. Successful exploitation could allow threat actors to access sensitive information, disrupt email services, and move laterally within affected environments.

Reduce exposure by upgrading MailPlus Server to version 4.0.1-31663 or 4.0.1-21663, depending on the installed Synology DiskStation Manager (DSM) version, validating backup integrity, and ensuring MailPlus Server is not accessible from untrusted networks. Synology has stated that no mitigations or workarounds are available beyond upgrading affected MailPlus Server versions. Organizations running vulnerable releases therefore remain dependent on patching to eliminate exposure.

Additional security measures include limiting external exposure, increasing logging and monitoring, reviewing abnormal file-access activity, and strengthening network segmentation and authentication controls around DSM and MailPlus components.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up