Especially in a large company, it's not that hard for a determined attacker to get something plugged into a network jack. If the management network goes to employee desks, then you can plug whatever you want into it.

Unless vPro is authenticating with 802.11x and you're actually using different passwords for every management interface, a professional cold probably find his way onto that subnet.

From what I've seen, most of the newer ipmi gear including the dedicated port ones include a standardized i2c interface between the platform controller/ec side (the main server) and the BMC - while it has in most cases similar authentication requirements as the typical ipmi over lan, once you've gotten past that you pretty much can run any ipmi commands, including getting raw access to its private i2c bus which I would assume attaches to its bootstrap flash. Once you're that far in bridging between the two nets would just entail writing some (non trivial) software.

It's sound common sense to keep this stuff from the Internet but looking through the Internet census I found hundreds of thousands of candidate matches for SuperMicro BMC instances. It seems to be popular in hosting circles, which might explain why it shows up so much.

If you don't connect it, they tend to default to sharing an interface with your primary LAN connection. They also default to DHCP, so if you're unaware of the need to use/secure it they will be exposed to the internet.