A PCI scan for a cPanel server returns OpenSSH is vulnerable to CVE-2021-41617.
PCI scans detect vulnerabilities in the operating system or other software. Many vulnerabilities are false matches on updated systems.
Report this as a false match to the PCI vendor. See the below article for more details on reporting false matches.
Neither of the functions required to exploit this vulnerability is enabled by default for versions of OpenSSH shipped by Red Hat 7 and 8.
Statement from RedHat:
AuthorizedKeysCommand directive nor
AuthorizedPrincipalsCommand are enabled by default in the versions of OpenSSH as shipped with Red Hat Enterprise Linux 7 and 8.