Since cPanel runs on a non-privileged ports, in theory it should be possible for a rogue applications to bind to the ports that cPanel runs on. I know other applications exist on port in the non-privileged range, however I'm particularly concerned about cPanel due to nature of credentials exchanged, for example how many people use /whm and root straight into their WHM instances?
cPanel is one of the last services to startup on a standard setup, during the time that cpanel fires up (after apache, ssh etc.) it should be possible to start an application in user space that binds to the said ports via SSH or a perl script etc.., a rogue implemention could simply could prompt for a password, record/email it and then terminate itself, most people would then put it down to a random blimp and restart cPanel, problem solved except password has been compromised.
Timing is important, however on systems that for example that have SIM or other resource monitoring, it should be possible to push a system to the load threshold of rebooting and therein lies an opportunity.
I know there are steps to avoid such, changing the privilege port range etc.., using VPN for WHM, but general setups I would say are vunerable. At the very least this could be an easy denial of service, force server to reboot and start a rogue app on cpanel ports etc..
Since cpservd runs as root why not use a port in the range of 100-1000 by default?