Code injection or backdoor: A new look at Ivanti’s CVE-2021-44529

This post examines a backdoor embedded in the now-defunct csrf-magic PHP library that implements remote code execution by concatenating and base64-decoding cookie values (CVE-2021-44529). The author deobfuscates the PHP payload, explains the trigger conditions (first cookie == 'ab' and at least four cookies, with the last three forming the base64 payload), and notes that Metasploit and GreyNoise signatures exist but that active exploitation appears limited, making this primarily a historical/forensic finding.