// 5 ZERO-DAY · 4 CVE · 6 EXPLOIT IN THE LAST 24H
ZDI-26-423 discloses a pre-authentication vulnerability in the MailPlus Redis component of the Synology DiskStation DS925+. Reversible password encryption enables unauthenticated, network-adjacent attackers to achieve remote code execution as root. Synology has released a fix, though the roughly 7-month disclosure window raises questions about exposure management.

On July 15, 2026, Trend Micro published advisory ZDI-26-423 detailing a pre-authentication vulnerability in the MailPlus Redis component of the Synology DiskStation DS925+. The flaw allows unauthenticated, network-adjacent attackers to execute arbitrary code with root privileges by exploiting weak credential storage encryption. The vendor has issued a corrective update, but the approximately 7-month and 11-day gap between reporting and disclosure leaves room to assess exposure-window management.

Key Takeaways
  • Vulnerability ZDI-26-423 specifically affects the Synology DiskStation DS925+ in the MailPlus Redis component
  • Passwords are encrypted in a recoverable format rather than protected with robust one-way hashing, enabling credential recovery
  • Code execution occurs in the root context without requiring authentication, with a network-adjacent position requirement
  • Synology has patched the flaw; the associated CVE-2025-15660 is in reserved status with no additional details

The Mechanism: Why a Weak Password Becomes RCE

The core of the flaw is not a vulnerability in Redis code itself, but in the specific configuration of the MailPlus Redis instance on the DS925+. According to the ZDI advisory, the password storage process uses reversible encryption rather than a hashing algorithm designed to resist decryption. This architectural choice turns credentials from a barrier into a bridge for the attacker.

An actor in a network-adjacent position — typically on the same local network or in segments with direct access to the device — can extract the passwords and reuse them to achieve code execution in the root context. Network-adjacent positioning differs from WAN exposure: it does not necessarily imply Internet accessibility, but requires network proximity that in complex enterprise or home environments can be obtained through lateral movement techniques.

Root privilege means every operation after initial access runs with maximum rights on the NAS operating system. The device loses all capacity for resource isolation or control: filesystems, network configurations, auxiliary services, and user data are all accessible without further escalation.

The Timeline: From Reporting to Disclosure

The vulnerability was reported to Synology on December 4, 2025. Coordinated publication occurred on July 15, 2026, an interval of approximately 7 months and 11 days. This window reflects standard coordinated disclosure practices, but raises questions about patch management in a perimeter storage device that often serves as a critical backup repository.

The ZDI advisory does not specify the discovering researcher or provide details on affected firmware versions. The associated CVE-2025-15660 is in reserved status at MITRE and offers no verifiable information beyond the primary advisory. The absence of a CVSS score and vector in the ZDI advisory prevents standard numerical severity classification, though the combination of RCE, root privileges, and no authentication places the flaw in the critical tier for any qualitative assessment.

Why the NAS Is an Atypical but High-Value Target

NAS devices like the DS925+ occupy an ambiguous position in the security perimeter: they are not traditional servers with dedicated admin teams, yet they are not user endpoints with a reduced attack surface. They often host full backups, document archives, and, in the case of MailPlus, corporate email systems. Root compromise of a NAS equates to total exfiltration or destruction of both primary and backup data in a single operation.

The Redis component, while auxiliary to core storage functions, becomes the entry vector here. This pattern repeats concerningly across the enterprise edge device landscape: integrated third-party components with superficial cryptographic configurations turn secondary features into primary risk factors. The implicit trust administrators place in "closed" devices managed via web interface clashes with the reality of complex software stacks where every layer adds attack surface.

"This vulnerability allows network-adjacent users to execute arbitrary code on affected installations of Synology DiskStation DS925+ devices. Authentication is not required to exploit this vulnerability."

What We Know and What Is Missing

The ZDI advisory precisely documents the technical mechanism, attack requirements, and the existence of a patch, but leaves significant areas in shadow. The source does not specify affected firmware versions, making it impossible to identify vulnerable devices by build rather than by model. No data emerges on in-the-wild exploits or active attack campaigns, but this absence of evidence does not equal evidence of absence.

The patch URL indicated in the advisory points to the ZDI document itself, not to a specific Synology download page. The dossier does not document update instructions, post-patch verification procedures, or indicators of compromise. The researcher's identity is not mentioned, nor are details provided on the discovery context or circumstances leading to the report.

Why This Matters

Vulnerability ZDI-26-423 exemplifies a systemic pattern: enterprise edge device security depends on the cryptographic quality of components that end users do not select, do not configure, and often do not know exist. When an internal Redis instance handles passwords in a recoverable format, the problem is not merely technical but architectural — a design choice that sacrifices compromise resistance for presumed operational needs.

The DS925+ is positioned as a professional and semi-enterprise device. Its pre-authentication root compromise risks not only the data it contains, but the integrity of the network infrastructure to which it connects. In environments where the NAS serves as a backup server for endpoints and cloud services, lateral movement from this device can propagate access exponentially.

The source does not specify whether other Synology models share the same MailPlus Redis configuration, nor whether the fix applied for the DS925+ has been extended to related products. This information remains to be verified with the vendor. The dossier also does not document whether the patch introduces breaking changes or migration requirements for users with custom MailPlus configurations.

The absence of a CVSS score and vector in the primary advisory prevents immediate comparison with other vulnerabilities from the same period, but does not diminish the intrinsic criticality of the RCE-root-pre-auth combination. For administrators, the relevant metric is exploitability in relation to target value — and on this plane, the backup NAS represents a particularly unfavorable risk/damage ratio.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. trendmicro.com