[amboar]

The description looks bad on the surface, but as always reality is more nuanced. These issues are only problematic in specific circumstances, particularly, bare-metal cloud hosting where the BMC might be in a separate trust domain to the host and the user on the host is provided with root (or equivalent) privileges. If your threat model is "root on the host owns the platform" then the only problem is that the BMC is yet another spot to hide malware.

The concern is that existing BMC firmwares have been shown as unsafe for bare-metal cloud types of configurations by default, so organisations using platforms in this environment may be doing so with false confidence.

[KenoFischer]

FWIW, in my experience there's lots of middle ground between the host being completely untrusted and the user having root on both the host and the BMC. Anywhere from "we're letting random third party collaborators share our machines" to "it's only in-house users, but they may not properly secure their machines" is a use case where regular users even with root on the host would not have root on the BMC.