Zabbix server accepts request "command" without any authentication attributes, so attacker can use known scriptid and hostid (simply dumped with tcpdump or such) to DoS remote hosts monitored by Zabbix server.

I think this is a security bug, because, for exampler, queue.get accepts sid parameter though this is not subject for DoS attacks.