Its still in investigative stages. I personally wouldnt touch vhcs. If you are a datacenter/server reseller you can get directadmin for around 14 dollars per box. Very nice panel, secure, and reliable.
The hacker left a message saying "vhcs exploit by blah blah.." they even gave a url to the exploit although i seem to have lost it now. To this day it remains unpatched.
Did you happen to install an older copy of VHCS? Maybe from a tarball you had laying around?
There was a security issue in VHCS that permitted priviliege escallation, it was (almost) patched but not quite, then patched again, there is a bit of confusion as people who thought they were patched indeed were not.
There was a similar link on the VHCS site itself, but I can't seem to find anything but the first patch.. unless its since been corrected , edited and consolidated into one post. Probably not the best thing they could have done as someone revisiting it would have no idea there was a second patch.
If you're sure you had the latest and greatest installed, then indeed it is another issue and should be reported asap to the developers.
I'm 99.9% sure you had an un-patched, or partial patched copy as all issues surrounding it (according to Secunia) have been resolved , or marked as patched by the authors.