[denysvitali]

My understanding is that we know somehow already what the exploit allows the attacker to do - we just can't reproduce it because we don't have their private key.

Technically, we can modify the backdoor and embed our own public key - but there is no way to probe a random server on the internet and check if it's vulnerable (from a scanner perspective).

In a certain way it's a good thing - only the creator of the backdoor can access your vulnerable system...

[tialaramex]

It's a NOBUS (Nobody But Us can use it) attack. The choice to use a private key means it's possible that even the person who submitted the tampered code doesn't have the private key, only some other entity controlling them does.