Synology has released a critical security advisory addressing multiple vulnerabilities in its MailPlus Server package that could allow attackers to execute denial-of-service (DoS) attacks, access internal services, and read or modify arbitrary files.
The vulnerabilities affect multiple versions of MailPlus Server running on DiskStation Manager (DSM), and users are strongly urged to update immediately, as patches are available but no alternative mitigation measures exist.
Synology MailPlus Server Vulnerabilities
The advisory highlights three vulnerabilities, including two critical flaws with severe security implications.
CVE-2026-13136 (CVSS 10.0): This critical vulnerability allows remote attackers to read or write arbitrary files and trigger DoS attacks.
It is associated with CWE-863 (Incorrect Authorization), indicating improper access control mechanisms. The flaw requires no authentication and can be exploited over the network, making it highly dangerous.
CVE-2025-15660 (CVSS 9.6): Discovered by Trend Micro’s Zero Day Initiative (ZDI-CAN-28554), this vulnerability enables adjacent attackers to perform similar actions, including file manipulation and service disruption.
It is linked to CWE-338 (Use of Cryptographically Weak PRNG), indicating weaknesses in the random number generator that could be exploited.
CVE-2026-13135 (CVSS 5.3): This moderate-severity issue allows remote attackers to access internal services due to improper restrictions on communication channels (CWE-923). While less severe, it could still be leveraged in a chain of attacks.
The critical vulnerabilities affect Synology MailPlus Server on DSM 7.3, 7.2.2, and 7.2.1. Users should upgrade to version 4.0.1-31663 or later for DSM 7.3, or version 4.0.1-21663 or later for DSM 7.2.2 and DSM 7.2.1, to mitigate the risk immediately.
The most severe flaw, CVE-2026-13136, carries a CVSS score of 10.0, indicating maximum impact across confidentiality, integrity, and availability.
Attackers could remotely exploit this vulnerability without user interaction, potentially leading to full system compromise, unauthorized file access or modification, and service outages through denial-of-service (DoS) attacks.
Given the lack of required privileges and low attack complexity, the vulnerability presents a significant risk to exposed systems.
Synology confirmed that no mitigation or workaround exists for these vulnerabilities. The only effective protection is to apply the security updates provided.
Organizations using MailPlus Server in production environments, particularly those exposed to the internet, face heightened risk if systems remain unpatched.
To reduce exposure and prevent exploitation, administrators should immediately upgrade to the patched MailPlus Server versions and restrict external access to MailPlus services where possible.
Monitor logs for unusual activity or unauthorized access attempts. Implement network segmentation to limit lateral movement.
The vulnerabilities were identified by security researchers, including Gcali working with Trend Micro’s Zero Day Initiative and ABBA Labs.
Synology released advisory Synology-SA-26:11 on June 26, 2026, confirming that all tracked vulnerabilities have been resolved in the latest updated versions.
With critical vulnerabilities actively impacting widely used mail server infrastructure, timely patching remains essential to maintaining system security and preventing potential exploitation.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Synology MailPlus Server Vulnerabilities Allow Attackers to Trigger DoS Attacks appeared first on Cyber Security News.
