Dear VyOS Maintainers,
Problem
The installed zabbix agent 2 is 6.0.14 which is affected by a RCE via it's S.M.A.R.T. plugin.
https://security-tracker.debian.org/tracker/CVE-2023-32728
Solution
Update the included zabbix agent 2 to a newer version (at least 6.0.24 which includes the fix, preferably the newest 6.0.x)
Workaround
Remove zabbix-agent until issue has been fixed in upstream or at least add a comment in the documentation that zabbix-agent is vulnerable and should not be used when lateral movement/privilege escalation from a zabbix admin to the firewall is a risk.
Best Regards