Should I worry if 'pkexec' is in a cPanel user's /home/virtfs (CVE-2021-4034)?

The recent security bug CVE-2021-4034 in Linux involves /usr/bin/pkexec. Following media reports (zdnet, etc.) I changed its permission, but also found this file: /home/virtfs/foo/usr/bin/pkexec for cPanel user foo. I don't know why a user would have pkexec shadowed. Unfortunately we are running an outdated WHM/cPanel (with root) on outdated CentOS 6, until we can migrate the last sites off it.