“Crucially, because the BMC has the ability to install the operating system, it can disrupt the process that boots the operating system – and fetch potentially malicious implant code, maybe even over the Internet.”
An Interesting Read “Making sense of the Supermicro motherboard attack” from Light Blue Touchpaper