Remote Management SYstem
'Creanova said NordVPN knew the remote management system was installed and that NordVPN failed to lock it down. NordVPN claimed it had no idea this God-mode-level access was present in the box'
I know exactly how this probably happened, been there before. Someone from NordVPN wanted access to the box to debug or install something and used TeamViewer / VNC / whatever. Then they finished and didn't remove it. 'NordVPN' knew, but only that one guy knew - and he forgot. And nobody else at NordVPN had any idea. So you've got an old version of [remote access program] sitting there and someone compromised it - for instance, remember that big rash of TeamViewer hacks about two years ago?