Synology released MailPlus Server 4.0.1-31663 on June 26, 2026, to address three critical vulnerabilities that expose thousands of self-hosted email servers to remote compromise. The update is the only defense available: the source explicitly states no alternative mitigations exist for the patched flaws, while technical details remain unpublished.
- Three CVEs identified: CVE-2026-13136, CVE-2026-13135, and CVE-2025-15660, with impact ranging from arbitrary file read/write to internal service access and DoS.
- The fix is MailPlus Server version 4.0.1-31663, published for DiskStation Manager v7.3, 7.2.2, and 7.2.1.
- Bitsight detects over 2,100 internet-facing deployments, concentrated in Germany, South Korea, China, Taiwan, and the U.S.
- Technical details of the vulnerabilities are still under wraps, per the source.
What the Update Fixes and Who Is at Risk
MailPlus Server 4.0.1-31663 closes three distinct vulnerability classes. CVE-2026-13136 stems from faulty authorization checks and allows remote arbitrary file read/write and denial of service. CVE-2026-13135 exploits improper communication channel restriction to permit remote access to internal services. CVE-2025-15660, the only one with a prior publication date, roots in a cryptographically weak pseudo-random number generator and enables arbitrary file read/write and DoS in adjacent attacker contexts.
Affected OS versions are DSM v7.3, v7.2.2, and v7.2.1. The brief does not specify whether CVE-2025-15660 affects DSM releases beyond those listed. The absence of a direct Synology advisory makes it impossible to independently verify the full attack surface.
Internet-Facing Exposure: A Figure to Verify
"Details about the vulnerabilities are still under wraps." — Help Net Security
According to the source, Bitsight via its Groma Explorer engine detects over 2,100 MailPlus Server deployments directly exposed to the internet. Geographic distribution shows concentrations in Germany, Asia (South Korea, mainland China, Taiwan), and the United States. The brief does not allow independent verification of this figure: no link to a consultable Bitsight report is provided, and none of the other eight sources in the dossier corroborate it.
The number, however, supports a precise operational reading: email servers on consumer and entry-level enterprise NAS, often managed by small businesses or IT departments without dedicated security teams, represent a high-attack-surface target. The combination of internet-facing exposure and no alternative mitigations turns theoretical risk into immediate risk.
Synology's Silence: A Non-Standard Practice
The most significant angle in the dossier is procedural, not technical. Synology, a NAS vendor with a global install base spanning decades, has not published a structured advisory with CVSS advisory with CVSS scores, discovery timeline, researcher identities, and attack condition details. The news circulates exclusively through third-party editorial sources, with technical information deliberately fragmented.
This disclosure mode diverges from enterprise vendors like Cisco or Fortinet, which publish advisories with explicit CVSS, ATT&CK matrices, indicators of compromise, and, when relevant, confirmation or denial of in-the-wild exploitation. The brief contains no evidence Synology adopted a comparable framework for this release. The consequence for users is a verifiable trust deficit: without a primary vendor advisory, urgency assessment for patching remains mediated by third-party interpretations.
The brief does not specify whether public proof-of-concept exploits exist or if the vulnerabilities have been exploited in real attacks. Caution is warranted here: absence of confirmation does not equal absence of exploitation, but it does not justify undocumented claims either.
Why This Matters
The dossier documents no corrective measures beyond updating to version 4.0.1-31663. The source explicitly states "there is no available mitigation for the fixed issues," ruling out workarounds, alternative configurations, or firewall rules as substitutes for the patch.
The brief does not specify the nature of data potentially exposed via arbitrary file read/write: it does not indicate whether email mailbox contents, user credentials, system configurations, or other information classes are involved. Similarly, the dossier does not detail which internal services are reachable via CVE-2026-13135 nor the network topology that would make CVE-2025-15660's adjacent attack feasible.
The source does not identify the researchers who discovered the vulnerabilities, does not provide a responsible disclosure timeline, and does not report CVSS scores for any of the three CVEs. These limits, combined with the absence of a direct vendor advisory, reduce users' ability to prioritize this update against other maintenance tasks.
Questions and Answers
Why is no CVSS score available?
The brief reports no CVSS scores for any of the three CVEs. The CVE identifiers are assigned, but numerical severity has not been published by the consulted source. It cannot be determined whether Synology communicated this data internally to select entities.
Can I delay the update if the server is not internet-exposed?
The brief does not distinguish between internet-facing and internal-only deployments in its risk assessment. The remote attack condition for CVE-2026-13136 and CVE-2026-13135 suggests internet exposure amplifies danger, but the source does not rule out internal network attack scenarios or compromise via other assets.
What happens if technical details become public?
The source notes details are "still under wraps." Their future publication could lower the barrier to automated exploitation, especially for servers that do not receive timely patches. The brief provides no indication of the likelihood or timing of such disclosure.
Information is based on the cited source and current as of publication.
Sources
- https://www.helpnetsecurity.com/2026/06/26/synology-mailplus-server-vulnerabilities/
- https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
- https://unit42.paloaltonetworks.com/fifa-world-cup-attack-surface/
- https://cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/
- https://cyberscoop.com/doj-huione-group-cybercrime-seizure/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
- https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-004/
- https://www.hkcert.org/security-bulletin/malware-alert-public-should-beware-of-golddigger-malware-targeting-ios-devices_20240220