A recently discovered vulnerability in NTPd allows remote code execution.
VyOS currently uses 4.2.6 and therefore is vulnerable. We are working in updating the package. Until we resolve it, the best temporary solution is to block NTP traffic from untrusted hosts.