Do Son 
TL;DR
Synology fixed three vulnerabilities in Synology MailPlus Server, the email package for its NAS devices. The most severe, CVE-2026-13136, carries a maximum CVSS score of 10. Admins should update to version 4.0.1-31663 right away.
Why It Matters
Synology MailPlus Server runs private email on Synology hardware. Therefore, a flaw here exposes mailboxes and internal services. NAS devices often sit at the edge of a network, which widens the attack surface. The advisory says the update fixes issues that let attackers “read or write arbitrary files and conduct denial-of-service attacks.” That mix threatens both data and uptime. Because no workaround exists, patching is the only real fix.
How the Attack Works
The three bugs come from separate weaknesses. CVE-2026-13136 lets remote attackers read or write files and trigger denial of service. CVE-2025-15660 (CVSS 9.6) arises from a weak random number generator and affects adjacent attackers. CVE-2026-13135 (CVSS 5.3) comes from poor channel restrictions and exposes internal services. So far, Synology has not published technical details.
Affected Versions
The flaws affect Synology MailPlus Server on DSM 7.3, 7.2.2, and 7.2.1. Synology rates all three branches as Critical.
Patch and Mitigation
Synology shipped fixed releases for each branch. Update DSM 7.3 to 4.0.1-31663 or later. For DSM 7.2.2 and 7.2.1, move to 4.0.1-21663 or later. You can check the full Synology security advisory for exact build numbers. Apply the update during your next maintenance window, or sooner if the server faces the internet. No public proof-of-concept and no in-the-wild exploitation have been confirmed. Trend Micro’s Zero Day Initiative credited the researchers who reported the bugs. Their early disclosure gave Synology time to ship a fix before any attacks surfaced.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
