The backdoor was discovered in VIA C3 Nehemiah processors from 2003, which are used in embedded systems and thin clients. The feature was intended for debugging purposes but was accidentally left on. Interestingly, the backdoor was discovered by analyzing patents:
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents. He found one — US8341419 — that mentioned jumping from ring 3 to ring 0 and protecting the machine from exploits of model-specific registers (MSRs), manufacturer-created commands that are often limited to certain chipsets.Full details at Tom's Hardware.
Domas followed the "trail of breadcrumbs," as he put it, from one patent to another and figured out that certain VIA chipsets were covered by the patents. Then he collected many old VIA C3 machines and spent weeks fuzzing code.