ZPanel 2.0 and 2.5 beta 10 does not remove or protect installation scripts after they have been used, which allows remote attackers to reinstall the software and possibly cause a denial of service via a direct request to install.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/19711
http://secunia.com/advisories/14602